Renewing expiring key - done correctly?

Robert J. Hansen rjh at
Wed Dec 4 01:03:13 CET 2013

On 12/3/2013 6:20 PM, Hauke Laging wrote:
> Imagine a certificate which is always prolonged for just one day. If this gets 
> compromised then it will not be prolonged any more (at least not by its owner 
> but we all love our highly secure offline mainkeys, don't we?) so everyone 
> will notice that within hours.

1.  The attacker can just extend the validity himself.  He's
    successfully compromised the key, after all.

2.  As a consequence of #1, no one will notice.

There are certainly reasons to limit certificate and/or subkey
lifetimes, but these reasons are principally to comply with regulations,
policies and/or laws -- not so much because doing so is a security

More information about the Gnupg-users mailing list