On 22.03.2016 23:10, Dashamir Hoxha wrote: > You got this wrong. It does not enforce 1 month expiry. Right after > creating the key you can change its expiry to 10y, if you wish. But if > you say nothing, after 1m you will have to renew it (if you still > remember the passphrase). This is like a safety measure for people who > are not familiar with gpg.
In this case, I think you have got a point. I think the gnupg default of 'expires: never' is not the best solution, since people who just try it out might end up with a public key published to keyservers where they have lost the private key. Of course, this is not different from fake keys published by third parties, as long as there are no relevant signatures on it nobody should trust them. But I still think it might be better to set a default expiry of, let's say, 1 year and two months for the primary key and one year for the subkeys. Then there is the problem that the user might not notice that his key is expired. I remember vagely spending a day trying to find the error until I noticed that my subkeys were expired. But this might have been a problem with Enigmail, which did not give a clear error message. However, one month is IMHO too short. But maybe I'm not the best judge since the last time I wrote an encrypted email was multiple months ago and I only once in my lifetime got an encrypted email except for testing purposes. Renewing my keys every month (and, which is more difficult than simply remembering to do so, distributing them between the couple or so machines where I read email) would be too much of a hassle. Regards, Viktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
