auto refresh for expired certificates

Peter Lebbing peter at
Sun Oct 26 14:14:25 CET 2014

On 26/10/14 12:56, Hauke Laging wrote:
> I do admit that this may be interesting for certain people but I guess that
> this tool does not do "that" but solves a completely different problem.

However, it does broadly correspond to your later comments about periodically
refreshing even before the expiry date.

And more importantly, an implementation of refresh-on-expiry might actually be
done as a new mode of the existing tool parcimonie, leveraging the code that
has already been written. And you get parcimonie's features as a bonus, i.e.,
not exposing too much about when you use keys and what keys you have.

I'm suggesting that automatic runs of parcimonie should schedule a refresh of
a key when a key is close to expiry. It seems to me postponing the refresh to
the first moment you use an already expired key leaks more metadata than
necessary, i.e., that you are about to encrypt to that key.

However, some thought needs to go into when and how often to check keys close
to expiry.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list