On 22/03/16 23:10, Dashamir Hoxha wrote: > You got this wrong. It does not enforce 1 month expiry. Right after > creating the key you can change its expiry to 10y, if you wish. But if > you say nothing, after 1m you will have to renew it (if you still > remember the passphrase). This is like a safety measure for people who > are not familiar with gpg.
It's not a good default. There is something to be said for an expiry, so keys eventually become stale if the owner loses the revocation certificate and the key itself. But we clearly have an informed disagreement. There's nothing more I can say, I think. > What is wrong with that? As long as there is a subkey for encryption, > gpg will use the subkey for encryption, even if the primary key is > capable of encryption. That is not up to you! It's up to your peers, or your attackers. They pick which key they encrypt to, and your GnuPG will just use whatever key was encrypted to, to decrypt it. You don't have a say in it. Your only recourse is to delete your primary key, meaning you can't certify anymore either. If there are hidden recipients, GnuPG will simply try both your primary and your subkey to decrypt the hidden PKESK packet. Why did you change this to the setting it had in the way before, the long-long ago: one key for everything? I've only ever seen it advocated in the sense that "you should encrypt to the primary key for TOP SECRET material, since I only have that key on an air-gapped offline computer". Not precisely a beginner's scenario, and a flawed argument anyway if you ask me. > And I beleive that this can be done with a bunch of simple > shell scripts. Go ahead. You've heard multiple opinions from several people. But please be aware of the criticism with regard to the details like the key capabilities and so forth. You're choosing this for your users, not just for yourself. Be prudent. Don't hurt your users, and realise that the defaults are that for good reason. I would strongly urge you to keep GnuPG at its defaults: they are good. Just change the interface, not the defaults. Okay, I should stop, I get the feeling every next sentence is a rephrasing of previous ones :). Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
