First steps with GPG, am I off to a good start?

[Doug Barton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/10/2013 06:32 PM, Hauke Laging wrote:
| I know of no good reason for creating a mainkey without expiration date.

I know of no good reason to use expiration dates at all.

Most end users don't know how to properly refresh their key rings, so if
you extend the expiration date you will simply inconvenience anyone who
is trying to communicate with you via encryption, and likely generate
questions about why your messages are signed with an expired key.

And what is the threat model that expirations are supposed to cover
anyway? That the person loses control of the key, and any revocation
certificates that they may or may not have generated? What is the
practical effect to me, as someone with that key on my key ring? A
responsible person who lost control of their key could still send
messages to those that they correspond with and/or have signed their key
saying "Hey, I'm an idiot, and I lost control of my key." But then
again, such a person probably would not have lost control of the key in
the first place.

So if there is actually a threat model that expiration dates on keys
helps with, please educate me. Otherwise can we stop recommending them?
Especially to new users?

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJSWK9PAAoJEFzGhvEaGryEZwcH/0DBHqon4JaS0lXZ7py0Qngp
GQxnrBollk+B4/BEswHYdDvTYWA7mekRUkKDjyy6NPDd1AlNsWiZZw6KgRolRDAK
g/R+qF4c0jKkBfpYgEXzjAkiyrVy894KEcWbNOlJ/u3stwIfVfKyN70pl1tfCR85
1Qi66OFloCanKNUy8P+aCoUrGKcUozSgEtXOkfXBbKWz7uOXHCg9EAl7eAmNBMuj
KKK5JKzqzMqHsSmz3G3A94mp/9iPEYVgkbuXMQoRiF/0R5CbwTVxmeXuSi5S8QtL
lNZtLmcpk8FJhccwSycCAxj6kDhiNXxuoEMRVmnQ6cEvjOQg8nGzg0WcAnj0PB8=
=gE6T
-----END PGP SIGNATURE-----