[arch-general] signature from "Thorsten Tpper <xxx at xxx.xxx>" is unknown trust

Karol Babioch karol at babioch.de
Mon Jan 28 22:51:49 EST 2013


Hi,

Am 29.01.2013 04:37, schrieb Gaetan Bisson:
> Dave's answer certainly misses the real question of why Thorsten would
> want an expiration date on his GPG key,

Because its good and common practice. There are several reasons for
this, one of which is a compromise. When you got compromised and lose
your revocation certificate, too, the key will expire at some point in time.

I'm not sure about GPG, but in case of X.509 it also helps to keep the
certificate revocations lists (CRL) short, as certificates, which are
expired anyway, don't have to be listed here explicitly.

When doing everything right, this kind of issues shouldn't happen, as
you would update the involved keys (and packages) early enough.

Obviously we are all just humans and tend to forget about these things,
especially when they work just flawlessly for a reasonable amount of
time ;).

Best regards,
Karol Babioch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130129/b3565383/attachment.asc>


More information about the arch-general mailing list