At 5:44 AM -0700 7/9/1999, Bodo Moeller said:
Me too. I did not detail this in my previous message, but IMO the way
to go is to use short validity periods on your encryption keys (so
that if you let them expire, no-one will send you mail encrypted to
those keys any more; an additional advantage is that you can change
the cipher preferences etc. if you switch to newer software versions)
and a longer validity period for the signing key. Also your signing
key could use a long _key_ validity period, but short _signature_
validity periods for the self-signatures; then the key validity
period, if defined, should be used by others who certify that key.
A signing key is really invalid only when publishing its secret part
cannot break anything (not that I recommend doing so ...).
The self-signature! Not the whole key, unless you don't re-validate.
For this, a signature validity period should be used, not a key
We're in violent agreement here.
The problem is that "key expiration" in OpenPGP (well, actually in the V4
data structures) is in the self signature. If you look at the V3 key
packet, there's a key expiration. In the V4 structure, it is gone. It's in