expiring gpg keys

Faramir faramir.cl at gmail.com
Sun Jan 25 06:06:55 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David Shaw escribió:
> On Jan 24, 2009, at 4:46 PM, Faramir wrote:
> 
>> David Newman escribió:
>>> Michael Lucas' gpg/pgp book recommends setting a relatively short
>>> expiration time, such as a year, for personal keys.
>>
>>  Well... I am not sure if that is a good idea... since if your key
...
> You don't have to do this if you don't want to.   If you set an
> expiration date and the key expires, you can always change the
> expiration date to a further date in the future (i.e. 'un-expiring' your
> key).

  Now I think about it, what is the point about expiring the main key?
Protecting against losing the secret key and being unable to revoke it?
In the case of subkeys, if they are compromised, the attacker still
can't change their expiration date (since the main key remains secure),
but in the case of the main key... if it is compromised, the attacker
can do anything he/she wants... except un-revoking the copy from keyservers.


>>   For GPG users, there is an alternative, to add a signing subkey, and
>> to remove the main key, and work with the subkeys. The main key would be
>> stored in a safe place, and would only be imported to sign other keys,
...

> This is what I do, FWIW.

  It's very worth, since I didn't know the opinion about that
alternative, from experienced users (in your case, a developer of) of
GPG. Of course I suppose the author of the tutorial I saw thinks it's a
good idea, but I don't really know anything about him, so...

  The tutorial is available at:
http://tjl73.altervista.org/secure_keygen/en/index.html

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJe/NvAAoJEMV4f6PvczxA5S8H/j7yEeHsc2I/Gh6Sn0RL5goM
ognC6jB6qlW8RGQpFnmBCmN1gEu6N+0H0T4RvLskuUtKCgl5QBk/kQfSCHFcC3Hs
4HW2lH6DIBtZGsfjZkE8tDMSkIy1Eu6Qu8kyThU18OIXI4EiicK2FMIXGdJsAOCM
yuxZhw5vtbK08j8Q3umJRKjnyBOSfB584eMrtMAV6XDy7K+FVgqB0xC80Djehn5D
MVv8cepklfXZmWACcQyHpHaPvu7TJK7J0O5ZCqLqG/GTfFcsBsIJBmaXWj5br0Nu
GG4zPqACs+//CE9bV/Zn9lE8GvMR8cveHyEkkHbIf83SPUfRiQk3LqcCqPJtL00=
=/zGY
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list