2 Q's

Andrew Gallagher andrewg at andrewg.com
Wed Aug 17 18:41:29 CEST 2016

On 17/08/16 17:03, Gabriel Philippe wrote:
> On Wed, Aug 17, 2016 at 5:43 PM, Andrew Gallagher <andrewg at andrewg.com> wrote:
>> On 17/08/16 16:36, Gabriel Philippe wrote:
>>> Set an expiration date to your key one year from now. Every 6 months,
>>> postpone this expiration date to 6 more months. It's too late for
>>> these people, but in the future and same conditions, others won't have
>>> a false security feeling when writing to you: if they keep using the
>>> wrong tkey, they will get a warning.
>> Computers were invented to liberate us from such drudgery.
> I know several people for whom you can find public keys on keyservers
> with no expiration date, who have lost the private key. Long time ago,
> just testing PGP, disk crash with no backup... Sometimes they still
> using the same e-mail address.

/me raises his hand guiltily

My only hope is that someday 1024-bit DSA keys will be generally

> Maybe softwares creating keys should impose expiration dates, unless
> in export modes.

Yes, absolutely. And it should also be made much clearer that
expiration dates can be extended indefinitely. I threw away two
perfectly good primary keys before I learned this handy fact.

> Maybe softwares using keys should automatically
> postpone expiration dates and re-export the keys...

No, because you misplacing your private key and me failing to download
your revocation are different problems, with different burdens of
responsibility and different urgencies. A weekly or even daily keyring
refresh could be considered prudent - but weekly key expirations would
be extreme.

To use the DNS analogy again, "TTL" and "expiry" are different numbers.
One is a cache refresh schedule and one is a cache invalidation
schedule. Not the same thing at all.

> But computers
> can't do everything. People have to learn and understand some basics,
> and practice.

The entire point of civilisation is that you don't need to know
everything. Sure, computer geeks should know these things. But your
granny should never need to know what goes on under the hood of her
software, any more than she needs to know how to refine diesel or bump
a yale lock. If you make the barriers to entry too high, people just
won't bother.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160817/5d513718/attachment.sig>

More information about the Gnupg-users mailing list