RSA or DSA? That's the question

Sven Radde sven at radde.name
Sat Sep 8 12:58:18 CEST 2007


Robert J. Hansen schrieb:
>> One more thing: the key expiry. Do you think that setting the expiry 
>> date after a year or two is a good choice? Or is better not to set a 
>> expiry date and revoke the key when necessary?
> 
> For most personal/home users, expiration is not necessary.

We might want to qualify that statement somewhat:

Specifying key expiry if you are concerned with *cryptanalytical
advances* is usually not necessary/sensible for a personal user, as said
user is normally not concerned with cryptanalysis. Even if s/he was,
making predictions whether the optimal key expiry period should be a
month, six months, one year or longer is hard/impossible.

Key expiry has another valuable function, however, that may serve well
for personal users (in fact, IMHO particularly well exactly for those
users): It serves as a sort of "automatic revocation" that even works
when you have lost access to your secret key / passphrase / revocation
certificate. If you have ensured that you can revoke your key under all
circumstances, you might go without key expiry.
For this purpose, something from six months to one year seems reasonable
to me.
Note in particular that the expiry date my be modified later on by
editing the key. This does not invalidate the key or any signatures by
third parties. Therefore, if your key reaches expiry, just add another
year and re-distribute it to the keyservers. It is not necessary to
create a wholly new key.

cu, Sven



More information about the Gnupg-users mailing list