On Thu, May 12, 2022 at 06:06:41PM +0300, IL Ka wrote: > Hi. > > OSes usually include all CA certificates (even expired). Windows also does > it (I have CA expired in 1999 in win10). > > User should have the ability to distinguish between invalid signatures and > old/expired signatures. > While the latter is an expected situation, the former is definitely fraud. This makes sense. OpenSSL is not only for stuff travelling in space, but also travelling in time (typically travelling from the past to the future; the other direction isn't yet quite common). Think S/MIME mail sleeping in a mailbox for a couple of years. How are you supposed to check an old mail's signature if you throw away your old certificates? Of course, you're using PGP (best in its gpg implementation), not S/MIME. But there, you face a similar problem. Keep your old keys around for as long as you keep your old encrypted or signed material around. Cheers -- t
Attachment:
signature.asc
Description: PGP signature