Viktor Dick viktordick86 at gmail.com
Wed Mar 23 06:04:46 CET 2016

On 22.03.2016 23:10, Dashamir Hoxha wrote:
> You got this wrong. It does not enforce 1 month expiry. Right after
> creating the key you can change its expiry to 10y, if you wish. But if
> you say nothing, after 1m you will have to renew it (if you still
> remember the passphrase). This is like a safety measure for people who
> are not familiar with gpg.

In this case, I think you have got a point. I think the gnupg default of
'expires: never' is not the best solution, since people who just try it
out might end up with a public key published to keyservers where they
have lost the private key. Of course, this is not different from fake
keys published by third parties, as long as there are no relevant
signatures on it nobody should trust them. But I still think it might be
better to set a default expiry of, let's say, 1 year and two months for
the primary key and one year for the subkeys.

Then there is the problem that the user might not notice that his key is
expired. I remember vagely spending a day trying to find the error until
I noticed that my subkeys were expired. But this might have been a
problem with Enigmail, which did not give a clear error message.

However, one month is IMHO too short. But maybe I'm not the best judge
since the last time I wrote an encrypted email was multiple months ago
and I only once in my lifetime got an encrypted email except for testing
purposes. Renewing my keys every month (and, which is more difficult
than simply remembering to do so, distributing them between the couple
or so machines where I read email) would be too much of a hassle.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160323/19aa255b/attachment-0001.sig>

More information about the Gnupg-users mailing list