Expiring Keys

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Thu Oct 24 17:20:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2002-10-24 at 15:36, Scott_Carpenter@cargill.com wrote:
> Can anyone tell me what the benefit of expiring keys is?  I don't=20
> understand why it would increase security that much, but I hear that it=20
> is so.


Always be careful with terms like 'it increases security' without
specifying the possible attack the security is provided against.

That said: key expiry is good, because when you can't revoke a key
anymore because your secret key is lost, the key won't appear valid
until the dawn of time.

Also, assuming an expiry date can not be changed, even if your secret
key was stolen, the attacker could not extend the validity of the key,
the amount of damage he can do is restricted. (Note that with modern
(v4) keys, the expiry date *can* be changed, though. Before you discuss
this, please read the list archives of the various lists, it has been
discussed before).

The downside of having a key expire is that your accumulated web of
trust gets lost. So you'll have to collect signatures from all signers
again, a very slow process.

I feel that the web of trust is very important, especially on a key used
to sign messages on public mailing lists etc., so I've set a very *long*
expiry period.

-- vbi

this email is protected by a digital signature   http://fortytwo.ch/gpg

NOTE: get my key here: http://www.google.com/search?q=3DmQGiBDx2a6ERBAC8l

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)

Signature policy: http://fortytwo.ch/gpg/policy/email.20020822