flapflap flapflap at riseup.net
Wed Mar 23 14:04:47 CET 2016

Viktor Dick:
> In this case, I think you have got a point. I think the gnupg default of
> 'expires: never' is not the best solution, since people who just try it
> out might end up with a public key published to keyservers where they
> have lost the private key.
> But I still think it might be
> better to set a default expiry of, let's say, 1 year and two months for
> the primary key and one year for the subkeys.

o  IMHO, users of the terminal gpg program should be well aware of the
   existence of expiration of a key, because they were asked for it
   during key generation.
o  "People who just try it [gpg] out" should (and most likely will) not
   use the terminal interface.
o  "People who just try it [gpg] out" should use Enigmail or another
   GUI.  And when using Enigmail, the expiry default is 5y, a revocation
   certificate is generated by default so that the user can revoke the
   key if s/he lost the passphrase/secret key.  Also, the user is
   advised to make a copy to an external medium (CD/USB) or print it
   out.  It is already 'fail safe' so to say.


More information about the Gnupg-users mailing list