[Top] [All Lists]

Key expiration

1999-07-12 01:55:00
At 5:44 AM -0700 7/9/1999, Bodo Moeller said:

   Me too.  I did not detail this in my previous message, but IMO the way
   to go is to use short validity periods on your encryption keys (so
   that if you let them expire, no-one will send you mail encrypted to
   those keys any more; an additional advantage is that you can change
   the cipher preferences etc. if you switch to newer software versions)
   and a longer validity period for the signing key.  Also your signing
   key could use a long _key_ validity period, but short _signature_
   validity periods for the self-signatures; then the key validity
   period, if defined, should be used by others who certify that key.
   A signing key is really invalid only when publishing its secret part
   cannot break anything (not that I recommend doing so ...).

   > [...]

   The self-signature!  Not the whole key, unless you don't re-validate.
   For this, a signature validity period should be used, not a key
   validity period.

We're in violent agreement here.

The problem is that "key expiration" in OpenPGP (well, actually in the V4
data structures) is in the self signature. If you look at the V3 key
packet, there's a key expiration. In the V4 structure, it is gone. It's in
the self-sig.