Web lists-archives.com

Re: Expired GPG keys of older release

On 23/06/18 06:39, James Cloos wrote:
>>>>>> "T" == <tomas@xxxxxxxxxx> writes:
> T> And just extending the keys' validity (as someone proposed in this
> T> thread) seems a bad idea too, since the requirement for secure keys
> T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
> The problem is that the point of a key's expiration time is that
> signatures newer than that should fail, but all signatures made before
> the expiration should verify.
> So, if apt's signature verification only looks at the key's expiration
> date and not at the signature's timestamp, that is a bug.

Disagree. If someone has a copy of the expired key (which is what
compromised means, right?), then they can fake the timestamp.


Attachment: signature.asc
Description: OpenPGP digital signature