Am 05.05.2011 22:10, schrieb Doug Barton: > On 05/04/2011 23:52, Andreas Heinlein wrote: >> We have a OpenPGP key which we use for signing our software releases. >> That key should be changed yearly and carry an expiration date to >> enforce this change. > > What are you trying to accomplish by doing it this way? I've yet to > see a good rationale for setting expiration dates on keys, but perhaps > you can be the first. :) > > Well, there are several reasons.
The first is that there is always the chance that the key is cracked brute-force. Remember that the x-zillion years which are often cited are only an average. One might always be lucky and find the right one within the first 0.0001% of keyspace, taking only a few days or weeks. Chance is very low, but then almost every week someone wins the lottery... ;-) More likely your key gets compromised some other way, e.g. it is stolen from your computer by a trojan, a malicious website or whatever. A good passphrase mitigates this risk somewhat, but most people choose passphrases which are weaker and easier to brute-force than the actual key. Here comes the third point; even if you notice your key was compromised, you need to revoke it *and* make sure the revocation reaches all users of your key. Like Werner said, many people never refresh their keys, so expiring is indeed a way to force them to do that. ( I admit that, in our case, even this will not help, since gpg will happily verify a signature made by an expired key. It will tell you that it's expired, but verify anyway. The 'hard' way would be to just refuse to do anything with an expired key or even delete it automatically, but that's another discussion). Much depends on the use case you're using GPG for, there's another discussion currently on this topic. Werner's approach still doesn't satisfy me, as it doesn't protect you from someone else using your (compromised) key as long as you don't notice it. Andreas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
