RFC on issue 2701, default expiration time for new keys

Neal H. Walfield neal at walfield.org
Fri Dec 9 15:14:39 CET 2016

On Fri, 09 Dec 2016 14:55:54 +0100,
Justus Winter wrote:
> Justus Winter <justus at g10code.com> writes:
> > This now begs the question what a good default expiration time is.
> > Thoughts?
> Based on the feedback I went with two years.  Objections?

I think two years is a good minimum reasonable default.  But, not yet.

The problem that I see is that the tools are not yet there.  With a
two year default, people are going to have to start extending the
expiration in about 18 to 20 months (to give time for the update to
propagate).  The tools (e.g., enigmail) should make extending the
expiration easy (e.g., a dialog: do you want to extend your key's
expiration for another two years?), but AFAIK they don't yet.
Further, users are going to have to update keys regularly.  Ideally,
dirmngr should do this automatically a la parcimonie, but that
functionality is only planned for gpg 2.3.

As such, I wonder if starting with a 4 or 5 year default expiration
wouldn't be better.


:) Neal

More information about the Gnupg-devel mailing list