Peter Lebbing peter at digitalbrains.com
Tue Mar 22 23:25:54 CET 2016

On 22/03/16 23:10, Dashamir Hoxha wrote:
> You got this wrong. It does not enforce 1 month expiry. Right after
> creating the key you can change its expiry to 10y, if you wish. But if
> you say nothing, after 1m you will have to renew it (if you still
> remember the passphrase). This is like a safety measure for people who
> are not familiar with gpg.

It's not a good default. There is something to be said for an expiry, so
keys eventually become stale if the owner loses the revocation
certificate and the key itself.

But we clearly have an informed disagreement. There's nothing more I can
say, I think.

> What is wrong with that? As long as there is a subkey for encryption,
> gpg will use the subkey for encryption, even if the primary key is
> capable of encryption.

That is not up to you! It's up to your peers, or your attackers. They
pick which key they encrypt to, and your GnuPG will just use whatever
key was encrypted to, to decrypt it. You don't have a say in it. Your
only recourse is to delete your primary key, meaning you can't certify
anymore either.

If there are hidden recipients, GnuPG will simply try both your primary
and your subkey to decrypt the hidden PKESK packet.

Why did you change this to the setting it had in the way before, the
long-long ago: one key for everything? I've only ever seen it advocated
in the sense that "you should encrypt to the primary key for TOP SECRET
material, since I only have that key on an air-gapped offline computer".
Not precisely a beginner's scenario, and a flawed argument anyway if you
ask me.

> And I beleive that this can be done with a bunch of simple
> shell scripts.

Go ahead. You've heard multiple opinions from several people. But please
be aware of the criticism with regard to the details like the key
capabilities and so forth. You're choosing this for your users, not just
for yourself. Be prudent. Don't hurt your users, and realise that the
defaults are that for good reason. I would strongly urge you to keep
GnuPG at its defaults: they are good. Just change the interface, not the
defaults. Okay, I should stop, I get the feeling every next sentence is
a rephrasing of previous ones :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list