Renewing expiring key - done correctly?

Hauke Laging mailinglisten at
Wed Dec 4 00:20:10 CET 2013

Am Mi 04.12.2013, 00:00:21 schrieb Johannes Zarl:

> Sorry for asking a possibly stupid question, but how exactly does a shorter
> validity period get you more security?

This is the security against the possibility that

a) the key has been compromised and revoked and you don't know that (because 
your last certificate update was before the revocation publishing)

b) the key has been compromised and cannot be revoked (because the owner has 
lost access to the secret mainkey and has neither a revocation certificate nor 
a (usable) designated revoker)

Imagine a certificate which is always prolonged for just one day. If this gets 
compromised then it will not be prolonged any more (at least not by its owner 
but we all love our highly secure offline mainkeys, don't we?) so everyone 
will notice that within hours.

On the other hand imagine a certificate which never expires and a lazy user 
(who seldom uses that key). Even a year after its revocation the lazy user may 
not have noticed the revocation yet. And thus encrypts critical information to 
the compromised key. Or worse (because the key owner wouldn't notice): Uses it 
to validate software.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131204/f1fee3b6/attachment.sig>

More information about the Gnupg-users mailing list