flapflap at riseup.net
Wed Mar 23 14:04:47 CET 2016
> In this case, I think you have got a point. I think the gnupg default of
> 'expires: never' is not the best solution, since people who just try it
> out might end up with a public key published to keyservers where they
> have lost the private key.
> But I still think it might be
> better to set a default expiry of, let's say, 1 year and two months for
> the primary key and one year for the subkeys.
o IMHO, users of the terminal gpg program should be well aware of the
existence of expiration of a key, because they were asked for it
during key generation.
o "People who just try it [gpg] out" should (and most likely will) not
use the terminal interface.
o "People who just try it [gpg] out" should use Enigmail or another
GUI. And when using Enigmail, the expiry default is 5y, a revocation
certificate is generated by default so that the user can revoke the
key if s/he lost the passphrase/secret key. Also, the user is
advised to make a copy to an external medium (CD/USB) or print it
out. It is already 'fail safe' so to say.
More information about the Gnupg-users