Robert J. Hansen
rjh at sixdemonbag.org
Wed Apr 18 06:59:01 CEST 2007
> I have read what everybody has said on the subject and one
> thing needs to be said again. THE DEFAULT EXPIRE FOR A NEW
> KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION!
That's making some really big assumptions about the security policy
of the person making the key.
There are also a lot of perfectly good alternatives which should
perhaps be excluded first.
Also, a two-year expiration date will do very little to help people
who forget their passphrases within a few weeks of creating keys.
Once you remember the passphrase for a few weeks, it'll be in your
> For that matter, I think the pressure to shove their keys
> on to key-servers immediately just needs to be dropped.
A key which cannot be found is a liability, not an asset. The
keyservers exist to be used.
> Increasing computing power alone have made such things as
> DES almost laughable now. Keys shouldn't be made with the
> idea that they can last forever.
There are two responses to this, both of which are factually accurate:
1. We are unlikely to ever be able to brute-force a 256-bit
keyspace. Ever. Not until computers are made of something other
than matter, occupy something other than space, run on something
other than energy, according to rules other than physics.
2. This is a reason to advocate forethought when generating keys,
not a reason to advocate just one method of solving the problem.
More information about the Gnupg-users