Best practice for periodic key change?

Doug Barton dougb at dougbarton.us
Fri May 6 22:37:12 CEST 2011


On 05/06/2011 08:34, Hauke Laging wrote:
> Am Freitag, 6. Mai 2011, 09:47:57 schrieb Doug Barton:
>
>> There's also another element, the expiration date is irrelevant if the
>> key is actually compromised. If Eve has your secret key she can simply
>> update or remove the expiration date, and upload the new version of the
>> public key to the public keyservers.
>
> That's not correct for subkeys and offline mainkeys as the good guys do it.

I don't understand this response. What I'm saying is that if the key is 
compromised, expiration dates become irrelevant. Perhaps you could 
expand your response a bit?

> I admit that a subkey expiration date does not make much sense for low
> security mainkeys but it is quite useful for more secure environments.

How so? I still haven't seen an explanation of what benefit the 
expiration date provides.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




More information about the Gnupg-users mailing list