Expiring Keys
David Shaw
dshaw@jabberwocky.com
Thu Oct 24 17:42:02 2002
On Thu, Oct 24, 2002 at 08:36:04AM -0500, Scott_Carpenter@cargill.com wrote:
> Can anyone tell me what the benefit of expiring keys is? I don't
> understand why it would increase security that much, but I hear that it
> is so.
There is some confusion with expiring keys, since the meaning of
expiration changed a few years ago. In the old v3 keys (PGP 2.x),
expiration meant "this key only lasts this long, period." Once the
key expired, the key was dead. In the new v4 keys (PGP 5+, GnuPG),
expiration means "I plan on using the key this long, but I may change
my mind" - the expiration date can be changed by the key owner, even
after the key has "expired".
Anyway, expiration is a tool that you can use to handle certain
problems like the loss of a secret key. After the key expires, nobody
will use it. It does not protect you against a stolen secret key
since the attacker could just extend or remove the expiration date
himself.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson