Hi,
not sure about all the technical details, and these also may vary from
client implementation.
In this case we have to distinguish between the trust and cryptography.
The trust part includes expiration, revocation etc. They indicate
whether signed information could be trusted. If a signature was made
with an expired or a revoked certificate, the receiver should not trust
the signature.
From the crypto part: We just have private and public keys. So the bits
used for encryption and signing are still good. Means, regardless of
expired or revoked certs, signatures and en/decryption is still possible.
A (private) certificate includes the private and public keys and a
signature by a maybe trusted authority. When renewing, the signature is
renewed. The keys (imho) remain unchanged. So you should be able to use
a renewed certificate also to decrypt older mails (no guarantee that it
works with your client).
From a user perspective: renew your certificate and keep the old
(whether revoked or expired) one to be able to decrypt older mails if
necessary.
Even a revoked certificate may be of use for the owner. E.g. a user may
have received important encrypted mails before. Then, his certificate
gets compromised. The cert is revoked, so it is no longer trusted by
others. But the user may still want to encrypt his older mail.
Mario
Post by Werner DworakHello Tichodroma,
can an expired client certificate still be used for decryption? If
not, I'll have to export some encrypted emails before my client
certificate expires.
Yes, with an expired certificate you can can still decrypt mails that
were encrypted with this certificate or verify mails signed with it. But
you can no longer encrypt or sign new mails.
But why do you not renew your certificate, it is very easy.
Another issue is a revoked certificate. With that you cannot do anything
any longer.
Regards, Werner
--
Mit freundlichen Grüßen / Best regards
Mario Lipinski
Infrastructure Team Leader, E-Mail: mario-xHchwMmBYmcdnm+***@public.gmane.org
Organisation Assurer (Germany), Internet: http://www.cacert.org
Arbitrator / Case Manager
CAcert
Support CAcert: http://www.cacert.org/index.php?id=13
http://wiki.cacert.org/wiki/HelpingCAcert