RFC on issue 2701, default expiration time for new keys
Werner Koch
wk at gnupg.org
Fri Dec 9 20:56:57 CET 2016
On Fri, 9 Dec 2016 19:20, peter at digitalbrains.com said:
> So if you happen to lose access to the private key material of a subkey,
> you can revoke or expire it on the spot, with the primary key.
That is indeed one of the purposes of an offline primary key. You can
simply create a new subkey or change the subkey'ss expiration time.
I concur that a default expiration time for a subkey makes no sense.
Tweaking subkeys is an expert operation. The only valid reason for a
default expiration time, as suggested by Justus, is to limit the time
data can accidently be encrypted to a key of which the owner forgot the
passphrase (common case) or lost the key material.
With access to the primary secret key a user can do all necessary key
operations.
FWIW, I would like to see a 2 years expiration time for new keys.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161209/eaba2098/attachment.sig>
More information about the Gnupg-devel
mailing list