Re: APT public key updates?
On Thu, Jan 05, 2006 at 04:43:13PM -0800, Thomas Bushnell BSG wrote:
> If the key is compromised, which is the only way the non-expiring key
> method can be broken, then the expiring key doesn't seem to be
> offering all that much additional security.
If the 2006 key takes (say) 15 months to compromise, then it is fine
to use it to sign and verify the new key on 1/1/2007, so long as you
perform that verification before March...
IOW using the old key to sign the new key only requires that the old
key be "good" at one point during the new year, whereas continuing to
use the old key requires that it be "good" all year.