-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Monday 8 December 2014 at 6:48:23 PM, in <mid:5485f277.3020...@web.de>, Tomo Ruby wrote: > as I wrote in the mail from Sun Dec 7 22:38:03 CET > 2014: I know I could just set a new expiration date but > most times it's recommended to use a key for two years > at the longest. Recommended by whom and against what threat model? And, really, the same lifespan for signing keys as for encryption keys? I use the supermarket approach to advice: only pick up what I need at the time. My take on the advice I have most often seen in previous discussions is to set fairly short expiry dates, and make the decision whether to replace it or extend its life when the expiry date is approaching. This gives you an opportunity to review the current state of your tools, and best practices. > So if I start counting I end up like > this: One subkey for authentication, one for signing > and one for encryption. This makes three new keys every > two years... OK, it would, but do you really need them all? If you use subkeys for each of those three capabilities, have you determined that in all three cases your threat model requires a new subkey every two years? > I really don't understand why everyone has only so few > subkeys... Because they do not follow the recommendations you have taken on board. A lot of keys are created without expiry date. This is the GnuPG default; we are frequently exhorted that the defaults are chosen to be sensible for most users, and to only deviate if you know what you are doing _and_why_. A large proportion of keys do not have a signing subkey (certainly of the 32 we currently encrypt messages to for the PGPNET discussion group [0], last time I looked there were about 12 or 14 with signing subkeys). And an individual who uses GnuPG only for email communication and file encryption has no need of an authentication key. That is probably a large percentage of users. [0] <https://groups.yahoo.com/group/PGPNET> - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net A closed door is an invitation to knock -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhjj+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXw1r8H/14IMASGNylCpc7Z6AE6xp4u /FwCCRbM3+N0EevdV5qAtw6P8Ttt191k5s2oV+oWQF4VnHWPl63H8x2+/jYO9ztC KtLKYw14ENcap77nF9eRAVQ6V/yaLlRWX5eZQqyKTLiuCacYsUpSrTGU3y/9L5fI BuPZhjcRp2FPogWRWwhNks2qMSVSHpDlhUxt/gci4NyTC51ZjD6e2NnxJV61gxgv Bpo7O3tv+KL9hvague3b+8Kyt8rcoxHeZCDTGpqY054ZcUfiNz8+/1qjXdaCSIwW eRe5aOfpmDoP5JoNOCFSkxTzcRjHd4IFn2N6Rbg1RQ9j0Yp7ADrZ3p1uDRAsGsGI vgQBFgoAZgUCVIY5BF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45Li0AQBGeWUHNcqtdXrgHbELOmzsCnuF JxGZsPkIVe+KIsrLQgEAzRVsXDMxYR2NTPwVlVKOID5Y0mo5FyBT/nS/8VbCFAo= =UjSg -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
