Expiring Keys

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Thu Oct 24 17:20:02 2002


--=-NizxRpPz5UKHtC8CYYDu
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2002-10-24 at 15:36, Scott_Carpenter@cargill.com wrote:
> Can anyone tell me what the benefit of expiring keys is?  I don't=20
> understand why it would increase security that much, but I hear that it=20
> is so.

Hi!

Always be careful with terms like 'it increases security' without
specifying the possible attack the security is provided against.

That said: key expiry is good, because when you can't revoke a key
anymore because your secret key is lost, the key won't appear valid
until the dawn of time.

Also, assuming an expiry date can not be changed, even if your secret
key was stolen, the attacker could not extend the validity of the key,
the amount of damage he can do is restricted. (Note that with modern
(v4) keys, the expiry date *can* be changed, though. Before you discuss
this, please read the list archives of the various lists, it has been
discussed before).

The downside of having a key expire is that your accumulated web of
trust gets lost. So you'll have to collect signatures from all signers
again, a very slow process.

I feel that the web of trust is very important, especially on a key used
to sign messages on public mailing lists etc., so I've set a very *long*
expiry period.

cheers
-- vbi


--=20
this email is protected by a digital signature   http://fortytwo.ch/gpg

NOTE: get my key here: http://www.google.com/search?q=3DmQGiBDx2a6ERBAC8l

--=-NizxRpPz5UKHtC8CYYDu
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iHQEABECADQFAj24D+stGmh0dHA6Ly9mb3J0eXR3by5jaC9ncGcvcG9saWN5L2Vt
YWlsLjIwMDIwODIyAAoJEIukMYvlp/fWImoAn1tcX1AdzPoN4/giPlfjvOPKCiSu
AKD251aefdSJn63u5zFeDtzC/b7PWQ==
=lqQR
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/gpg/policy/email.20020822

--=-NizxRpPz5UKHtC8CYYDu--