Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key

To: noloader@gmail.com
Cc: Jeroen Diederen <jjhdiederen@zonnet.nl>, PowerPC List Debian <debian-powerpc@lists.debian.org>
Subject: Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
From: Frank Scheiner <frank.scheiner@web.de>
Date: Tue, 23 Jun 2020 10:58:20 +0200
Message-id: <[🔎] 38a42fb7-8107-a599-6379-1887c50c6e2d@web.de>
In-reply-to: <[🔎] CAH8yC8nHZkbTZta3KV1FxvqLQAtDMdCuAnDbfcY4chENTiq4yQ@mail.gmail.com>
References: <[🔎] 07573d55-f76d-4395-89e4-074fbda601b2@www.fastmail.com> <[🔎] 5fc03ea99d29a7c032ff346865c1f97e@zonnet.nl> <[🔎] 7633d07cbfac010254905442b9c9fd43@zonnet.nl> <[🔎] 99b1422d-7672-43a3-a3b4-1104bbc9aae1@www.fastmail.com> <[🔎] f06dc8c73ae67a7c9d0dbc94f189fea1@zonnet.nl> <[🔎] CAH8yC8nHZkbTZta3KV1FxvqLQAtDMdCuAnDbfcY4chENTiq4yQ@mail.gmail.com>

On 23.06.20 09:56, Jeffrey Walton wrote:

[...]
A signature applied during a valid key period is still good. For those
following a key rotation scheme, no new signatures should occur after
the key expires.


I agree. I have a related issue in my Thunderbird MUA. It keeps stating
that, the - perfectly valid - signatures of signed messages I sent or
received and that were created with a - now expired - X.509 certificate
and private key, are invalid. Instead of verifying against my still
existing private key in the MUA's keystore.

But in the big Security Engineering picture, what we've found in
practice is, key continuity is better then key rotation. As long as
the key does not change unexpectedly, then the key is good.


Sounds straight-forward to me.


Peter Gutmann covers all of this stuff in his book Engineering
Security (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).


Nice read!

I
wish the maintainers of Apt would read it and stop wasting our time
with these keys due to broken policies.


Maybe it's configurable.

Cheers,
Frank

Reply to:

Follow-Ups:
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: Frank Scheiner <frank.scheiner@web.de>

References:
- Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: "Rick Thomas" <rick.thomas@pobox.com>
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: Jeroen Diederen <jjhdiederen@zonnet.nl>
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: Jeroen Diederen <jjhdiederen@zonnet.nl>
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: "Rick Thomas" <rick.thomas@pobox.com>
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: Jeroen Diederen <jjhdiederen@zonnet.nl>
- Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
  - From: Jeffrey Walton <noloader@gmail.com>

Prev by Date: Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
Next by Date: Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
Previous by thread: Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
Next by thread: Re: Installing Jessie on PowerMac G4 (32 bit) -- expired key
Index(es):
- Date
- Thread