Renewing expiring key - done correctly?

Hauke Laging mailinglisten at
Wed Dec 4 00:59:53 CET 2013

Am Mi 04.12.2013, 00:39:46 schrieb Johannes Zarl:

> Isn't that just a false sense of security? After all, if the key has been
> compromised, the attacker can just prolong the validity

He could but he would need the secret mainkey for that operation and...

> > but we all love our highly secure offline mainkeys, don't we?

...keys without offline mainkey on insecure systems are a security joke 

> that the owner can just issue a revocation certificate

It may be possible to prevent someone from seeing the revocation certificate. 
Certificate distribution is a lot less secure than the keys themselves. But 
you cannot trick someone into using an expired key.

> So in summary, the short validity period is essentially a reminder for
> people to regularly check whether the key has been revoked.

And besides security: It allows detection of dead keys on the keyservers.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131204/1e81d417/attachment.sig>

More information about the Gnupg-users mailing list