On Thu, Jan 19, 2017 at 11:44 PM, Razer <g2s@riseup.net> wrote:
gpg: Signature made Mon 15 Aug 2016 10:01:19 PM PDT using RSA key ID 139A768E Primary key fingerprint: 4E07 9126 8F7C 67EA BE88 F1B0 3043 E2B7 139A 768E
The canary hasn't been updated but the gpg output still shows a good sig
They could still kill the canary be revoking the key, and they haven't done that.
A canary that has not met its own terms of service is a dead canary. If the terms were defective, cause of death might be found as some specific like from being tossed overboard in muddy waters with concrete shoes on, regardless still quite dead. The sig will always bitwise validate, though what level of value to place in any sig expiry parameter is up to user. In canary it should be treated as a bound on validity. Though most seem to make their validity period statement in the content they're signing over. As to key revocation, a reup selfsig to that key landed on 2016-10-21, with five hopefully thoughtful and careful wot sigs over it since then. With four of them occurring on or after the content expiry date. Other keys possibly belonging to riseup have not reupped or revoked, nor may necessarily be known to public wot, such as this on sks pub 4096R/D6F6C5B4 2010-11-11 archive collective@ The bird is well beyond it's update schedule, therefore it's dead. Remains to be seen whether there will be an updated canary, silence, or free speech / destruction possibly including potential martrydom in the brig.