Best practice for periodic key change?

Doug Barton dougb at
Fri May 6 22:37:12 CEST 2011

On 05/06/2011 08:34, Hauke Laging wrote:
> Am Freitag, 6. Mai 2011, 09:47:57 schrieb Doug Barton:
>> There's also another element, the expiration date is irrelevant if the
>> key is actually compromised. If Eve has your secret key she can simply
>> update or remove the expiration date, and upload the new version of the
>> public key to the public keyservers.
> That's not correct for subkeys and offline mainkeys as the good guys do it.

I don't understand this response. What I'm saying is that if the key is 
compromised, expiration dates become irrelevant. Perhaps you could 
expand your response a bit?

> I admit that a subkey expiration date does not make much sense for low
> security mainkeys but it is quite useful for more secure environments.

How so? I still haven't seen an explanation of what benefit the 
expiration date provides.



	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

More information about the Gnupg-users mailing list