Adrian 'Dagurashibanipal' von Bidder
Thu Oct 24 17:20:02 2002
On Thu, 2002-10-24 at 15:36, Scott_Carpenter@cargill.com wrote:
> Can anyone tell me what the benefit of expiring keys is? I don't=20
> understand why it would increase security that much, but I hear that it=20
> is so.
Always be careful with terms like 'it increases security' without
specifying the possible attack the security is provided against.
That said: key expiry is good, because when you can't revoke a key
anymore because your secret key is lost, the key won't appear valid
until the dawn of time.
Also, assuming an expiry date can not be changed, even if your secret
key was stolen, the attacker could not extend the validity of the key,
the amount of damage he can do is restricted. (Note that with modern
(v4) keys, the expiry date *can* be changed, though. Before you discuss
this, please read the list archives of the various lists, it has been
The downside of having a key expire is that your accumulated web of
trust gets lost. So you'll have to collect signatures from all signers
again, a very slow process.
I feel that the web of trust is very important, especially on a key used
to sign messages on public mailing lists etc., so I've set a very *long*
this email is protected by a digital signature http://fortytwo.ch/gpg
NOTE: get my key here: http://www.google.com/search?q=3DmQGiBDx2a6ERBAC8l
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/gpg/policy/email.20020822