expiring gpg keys

Faramir faramir.cl at gmail.com
Sun Jan 25 06:06:55 CET 2009

Hash: SHA256

David Shaw escribió:
> On Jan 24, 2009, at 4:46 PM, Faramir wrote:
>> David Newman escribió:
>>> Michael Lucas' gpg/pgp book recommends setting a relatively short
>>> expiration time, such as a year, for personal keys.
>>  Well... I am not sure if that is a good idea... since if your key
> You don't have to do this if you don't want to.   If you set an
> expiration date and the key expires, you can always change the
> expiration date to a further date in the future (i.e. 'un-expiring' your
> key).

  Now I think about it, what is the point about expiring the main key?
Protecting against losing the secret key and being unable to revoke it?
In the case of subkeys, if they are compromised, the attacker still
can't change their expiration date (since the main key remains secure),
but in the case of the main key... if it is compromised, the attacker
can do anything he/she wants... except un-revoking the copy from keyservers.

>>   For GPG users, there is an alternative, to add a signing subkey, and
>> to remove the main key, and work with the subkeys. The main key would be
>> stored in a safe place, and would only be imported to sign other keys,

> This is what I do, FWIW.

  It's very worth, since I didn't know the opinion about that
alternative, from experienced users (in your case, a developer of) of
GPG. Of course I suppose the author of the tutorial I saw thinks it's a
good idea, but I don't really know anything about him, so...

  The tutorial is available at:

  Best Regards
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Gnupg-users mailing list