expire function

David Shaw dshaw at jabberwocky.com
Mon Dec 20 15:13:36 CET 2004

On Mon, Dec 20, 2004 at 06:13:42PM +0530, Michael Kirchner wrote:
> Hi all,
> I am using GPG with Thunderbird and Enigmail to sign and encrypt mostly
> private communication. Up to now I used the "expires" date to make sure
> that my key will only be valid for about a year and so something like a
> date is attached to my signatures. After about a year I then generated a
> new key (eventually upgraded the size of the key), signed the new key
> with the old one and uploaded it.
> While at the time of starting with this method, some years back,
> everything seemed reasonable I lately come to think about it again, as I
> did never see anyone else do so (with the exception of the German CERT).
> Perhaps you might enlighten me: is there an special security problem
> connected to a yearly expire and reissuing of my keys?

The main problem is one of convenience.  If you have gathered a number
of signatures on your key, you have to get them over again with a new
key.  Since you say you are using it mainly for private communication,
perhaps this reason does not apply to you.

Note that signing the new key with the old one doesn't do anything in
the web of trust: expired keys are not counted.

A reasonable solution for the desire to have expiring keys, plus the
desire to have one well-known key to sign is to use subkeys and have
the subkeys expire.  That is what I do.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 250 bytes
Desc: not available
Url : /pipermail/attachments/20041220/11adb586/attachment.bin

More information about the Gnupg-users mailing list