First steps with GPG, am I off to a good start?
dougb at dougbarton.us
Sat Oct 12 04:47:38 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 10/11/2013 07:22 PM, Hauke Laging wrote:
| Am Fr 11.10.2013, 19:09:19 schrieb Doug Barton:
|> On 10/10/2013 06:32 PM, Hauke Laging wrote: | I know of no good
|> reason for creating a mainkey without expiration date.
|> I know of no good reason to use expiration dates at all.
|> Most end users don't know how to properly refresh their key
| So avoiding the "I'm an idiot" message is not a good idea but not
| teaching people simple tasks is. I beg to differ.
Twenty years of experience shows us that it's a lost cause. PGP is
simply too hard for "average" computer users. Even those who use PGP,
which by definition makes them "above average" commonly don't refresh
their key rings. So whether either of us like it or not, any plan that
requires users to refresh their key rings for it to work is simply
... and I left out another problem with expiration dates, users that
set them on their keys and are not aware that they can be extended.
Robert's right, the defaults are what the vast majority of users
|> And what is the threat model that expirations are supposed to
|> cover anyway?
| If there is a real threat then it is probably rarely going to
| happen. But the point is: Threats are not the only argument for
| crypto recommendations.
Um, of course they are. Otherwise you're just participating in
"security theater" and wasting everyone's time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-users