On 08/13/2010 07:25 PM, Milan Kupcevic wrote: > Chris Knadle wrote: > >> If you look at the signatures of my key [0x6A9FDD74], I think >> you'll see something interesting which will also likely answer your >> question. > > Hm, the signature in question is valid exactly 5 years after the > signing date.
yup, i'm currently making most of my certifications with a 5-year
expiration date. This is a compromise between the commonly-used X.509
model (1-year certifications, regular renewals and hassles) and the
commonly-used OpenPGP model (no expiration, no real infrastructure to
ensure that a key remains under control of the certified party).
I did this by adding the ask-cert-expire flag to gpg.conf (in
particular, to ~/.caff/gnupghome/gpg.conf, since i use caff for most of
my OpenPGP certifications). This is *not* the default for recent
versions of GnuPG.
I'm not convinced that my current approach is a great one, and i'd be
happy to discuss it with people who feel strongly one way or the other
(maybe gnupg-us...@gnupg.org would be a better forum than
debconf-discuss, though).
I suspect that we need better infrastructure, including tools which
alert the user when some of their own certifications are due to expire.
If those alerts provided an easy way to do sensible things (e.g. follow
up in a standard manner with the keyholder, or directly re-issue the
cert if the user knows it to still be good), even better.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
