On Sunday 25 January 2009, Faramir wrote: > David Shaw escribió: > > On Jan 24, 2009, at 4:46 PM, Faramir wrote: > >> David Newman escribió: > >>> Michael Lucas' gpg/pgp book recommends setting a relatively short > >>> expiration time, such as a year, for personal keys. > >> > >> Well... I am not sure if that is a good idea... since if your key > > ... > > > You don't have to do this if you don't want to. If you set an > > expiration date and the key expires, you can always change the > > expiration date to a further date in the future (i.e. 'un-expiring' > > your key). > > Now I think about it, what is the point about expiring the main > key? Protecting against losing the secret key and being unable to > revoke it?
Yes, I'd say this is the main reason behind Michael Lucas's recommendation. Does Michael Lucas also recommend creating a revocation certificate and storing it at a safe place (best printed on paper)? > In the case of subkeys, if they are compromised, the > attacker still can't change their expiration date (since the main key > remains secure), but in the case of the main key... if it is > compromised, the attacker can do anything he/she wants... except > un-revoking the copy from keyservers. Exactly. Therefore you should always have a revocation certificate (or even multiple revocation certificates with different reasons for revocation) at hand. Moreover, I'd say one should explicitely revoke expired keys one does not intend to re-use/un-expire, so that they can never be un-expired by someone else. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
