Renewing expiring key - done correctly?

Hauke Laging mailinglisten at
Tue Dec 3 23:44:20 CET 2013

Am Di 03.12.2013, 08:22:28 schrieb Eric Poellinger:

> PRIMARY QUESTIONS - I am uncertain about the sub-key.  When I attempt to
> 'expire' it the date does not seem to change.

What exactly did you do? Did you mark the subkey before and did you save the 
changes to the keyring after the expire command?

gpg> key 1

pub  3072R/0x711D8152  created: 2013-11-27  expires: 2014-11-27  usage: SCE 
                       trust: ultimate      validity: ultimate
sub* 2048R/0x48C7F0CD  created: 2013-11-27  expires: 2015-12-03  usage: S   


gpg> save

> Maybe you cannot expire a sub-key?

You can.

> SECONDARY QUESTION - is there documentation regarding 'best practices' on
> managing expiring keys and renewing via sub-keys --- my theory is that
> doing it this way minimizes the coordination necessary but I am not
> understanding how it works if you have multiple trading partners to
> coordinate with.

Expiration serves two purposes:
1) Passively revoke a key if you have lost access to the secret mainkey (i.e. 
to the key itself or to its passphrase).
2) Force your communication partners (people are lazy) to update your 
certificate from time to time (requires some understanding on their side).

The length of the validity period is a compromise between higher "security" 
and less inconvenience (your own, too).

I am not sure whether I understand correctly what you mean by "renewing". You 
can prolong the validity of subkeys and you can replace subkeys. It's not a 
big difference for your communication partners. Replacing subkeys for security 
reasons makes real sense only if you use a secure offline mainkey.

Usually you upload your certificate (public key) to a key server (or more) 
from where everyone can get updates of your certificate.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131203/f8b6453c/attachment-0001.sig>

More information about the Gnupg-users mailing list