First steps with GPG, am I off to a good start?

[Doug Barton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/11/2013 07:22 PM, Hauke Laging wrote:
| Am Fr 11.10.2013, 19:09:19 schrieb Doug Barton:
|> On 10/10/2013 06:32 PM, Hauke Laging wrote: | I know of no good
|> reason for creating a mainkey without expiration date.
|>
|> I know of no good reason to use expiration dates at all.
|>
|> Most end users don't know how to properly refresh their key
|> rings,
|
| So avoiding the "I'm an idiot" message is not a good idea but not
| teaching people simple tasks is. I beg to differ.

Twenty years of experience shows us that it's a lost cause. PGP is
simply too hard for "average" computer users. Even those who use PGP,
which by definition makes them "above average" commonly don't refresh
their key rings. So whether either of us like it or not, any plan that
requires users to refresh their key rings for it to work is simply
impractical.

... and I left out another problem with expiration dates, users that
set them on their keys and are not aware that they can be extended.
Robert's right, the defaults are what the vast majority of users
should use.

|> And what is the threat model that expirations are supposed to
|> cover anyway?
|
| If there is a real threat then it is probably rarely going to
| happen. But the point is: Threats are not the only argument for
| crypto recommendations.

Um, of course they are. Otherwise you're just participating in
"security theater" and wasting everyone's time.

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJSWLhJAAoJEFzGhvEaGryEZm4H/RV4Fg8cM1ycMH9OYU9U+RXh
vZNE+r3qFXI6O1QW/gaiADEvSc000x4Di6oBH7UYgtPB28a/5MOw+koOCtPMnMSz
UBEFGlxVv91+W+qIY4Pqc8oWOUQT13GcFWC8lGqbArX6gzXB9aQR7dzD9Y5bcuB8
Q6bR1J/Et4WVLKZsjnLs50v/bv+B4KfqlHU+i7kzVrlGog+rfspe1ogLw7IT+fWU
sK4buQYoyDT4basFcz+ypXKF3LVqbP9JfJbp2DUswoN5NgC84RQqjrxpKxMG4SEv
Uj/NYqgh1ZXTLmoL4nCepCCtqv6yGcsVJHTrY3Mcf6sKgSfO1TtBXH1PumUAPjk=
=aRav
-----END PGP SIGNATURE-----