First steps with GPG, am I off to a good start?
dougb at dougbarton.us
Sat Oct 12 04:09:19 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 10/10/2013 06:32 PM, Hauke Laging wrote:
| I know of no good reason for creating a mainkey without expiration date.
I know of no good reason to use expiration dates at all.
Most end users don't know how to properly refresh their key rings, so if
you extend the expiration date you will simply inconvenience anyone who
is trying to communicate with you via encryption, and likely generate
questions about why your messages are signed with an expired key.
And what is the threat model that expirations are supposed to cover
anyway? That the person loses control of the key, and any revocation
certificates that they may or may not have generated? What is the
practical effect to me, as someone with that key on my key ring? A
responsible person who lost control of their key could still send
messages to those that they correspond with and/or have signed their key
saying "Hey, I'm an idiot, and I lost control of my key." But then
again, such a person probably would not have lost control of the key in
the first place.
So if there is actually a threat model that expiration dates on keys
helps with, please educate me. Otherwise can we stop recommending them?
Especially to new users?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-users