This is a resent because I accidentally mailed Peter Lebbing directly without the mailing list.
Allow me to lay to rest all the confusion in this thread. On Tue, Sep 16, 2014 at 6:45 AM, Peter Lebbing <pe...@digitalbrains.com> wrote: > I wanted to encrypt a document to myself on an offline system[1]. > However, that copy of my own key was expired, and it wouldn't do it. I > was in a bit of a hurry, trying to get things done. Now, I had to get a > USB drive, start another computer, export my updated key, and import it > on the offline system. If I had --expert followed by yes to an "Are you > sure?" prompt, I would have done that and updated the copy when I had > more time. > Not really sure where you're going with this. It has already been *established* that if you're the key owner you can adjust the expiration date of the key. I think there's a lot of confusion around the intention of a floating expiration here. Expiring keys have the following function: Expiring local copies of public keys on other peoples' computers to force them to get a public key update from the owner. That is to say that if I have Peter Lebbing's public key and it has expired that means I must reach out to Peter Lebbing for the latest copy of the public key of the exact same fingerprint. Expiration in this context does not mean the key is forever invalid. It means that *my copy* is invalid until I get a more recent update from Peter Lebbing. That just means Peter Lebbing would have changed the expiration date of his public key and extended it. So when I get his new expiration date that is the time in which I must reach out to him next for another public key update of the same finger print. This protects both the key owner and correspondent in a couple ways. 1) If I have an expired key and I check to see what the latest key is of Peter Lebbing, he may have revoked it. In this case it forced me to go out and check and see that it was revoked so I *must* not use this key again. He can give me his new key with proper WoT validation. 2) If Peter Lebbing as a key owner loses his key and my local public key of Peter Lebbing expires then the next time I reach out to Peter Lebbing for the latest key copy he can tell me he, in fact, lost the key and give me a new one with proper WoT validation. To bring this full circle: the expiration date's purpose is to force users of any public key to periodically check with the key owner that the public key is still valid. RESOLUTION So if a key is expired I *must* not encrypt with it. I *should* instead reach out to the key owner and ask for their latest public key of the same fingerprint which would have a new adjusted expiration date. This ensures I'm not encrypting to a compromised key, a revoked key, or a key in which the owner lost the private key. If you're the owner of a key that has an expired date, you *should* extend it to allow further use of the key by your contacts. If you decide you don't want to use the key any longer then you *should* revoke the key. If you accidentally lose your key then no worries, because eventually it will expire and nobody could encrypt to it even if they wanted to. Hope this helps, SAM -- GPG FINGERPRINT 4096 KEY 8D8B F0E2 42D8 A068 572E BF3C E8F7 3234 7257 E65F https://keybase.io/samrocketman
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
