On 2020-08-13 at 16:43 +0200, Pierre-Elliott Bécue wrote: > > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire` > > option in that effect. Expired certification signatures will be > > ignored when building the Web of Trust. > > > > Cheers > > This could work, but we'd have to handle the case when developers > forget to set a signature as time-limited/don't follow this thread and > never care to set it up. > > I'd rather avoid relying on signatures, than making the meaning of > signature quite less tangible. I don't see your point. We have a general standard or what to require for signing, and this thread started asking about weaking them due to the pandemic. Limiting the time the signature is valid is a time-limited way to do that. And it is a cryptographic one, which is a very nice feature. I would like to have some common notation so that the standard used could be tracked, too. If a developer is going to forget how to do a "weak value" signature, he should probably stick to the standards he has generally used, but anyway, if someone wanted to do a limited-time signature but forgot the parameter, he should do exactly the same as if he signed Eve key while intending to sing Alice's: revoke the wrong signature and create a new one. Regards Ángel
Attachment:
signature.asc
Description: This is a digitally signed message part