Best practice for periodic key change?
Doug Barton
dougb at dougbarton.us
Fri May 6 22:37:12 CEST 2011
On 05/06/2011 08:34, Hauke Laging wrote:
> Am Freitag, 6. Mai 2011, 09:47:57 schrieb Doug Barton:
>
>> There's also another element, the expiration date is irrelevant if the
>> key is actually compromised. If Eve has your secret key she can simply
>> update or remove the expiration date, and upload the new version of the
>> public key to the public keyservers.
>
> That's not correct for subkeys and offline mainkeys as the good guys do it.
I don't understand this response. What I'm saying is that if the key is
compromised, expiration dates become irrelevant. Perhaps you could
expand your response a bit?
> I admit that a subkey expiration date does not make much sense for low
> security mainkeys but it is quite useful for more secure environments.
How so? I still haven't seen an explanation of what benefit the
expiration date provides.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the Gnupg-users
mailing list