RFC on issue 2701, default expiration time for new keys

Werner Koch wk at gnupg.org
Fri Dec 9 20:56:57 CET 2016


On Fri,  9 Dec 2016 19:20, peter at digitalbrains.com said:

> So if you happen to lose access to the private key material of a subkey,
> you can revoke or expire it on the spot, with the primary key.

That is indeed one of the purposes of an offline primary key.  You can
simply create a new subkey or change the subkey'ss expiration time.

I concur that a default expiration time for a subkey makes no sense.

Tweaking subkeys is an expert operation.  The only valid reason for a
default expiration time, as suggested by Justus, is to limit the time
data can accidently be encrypted to a key of which the owner forgot the
passphrase (common case) or lost the key material.

With access to the primary secret key a user can do all necessary key
operations.

FWIW, I would like to see a 2 years expiration time for new keys.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161209/eaba2098/attachment.sig>


More information about the Gnupg-devel mailing list