Renewing expiring key - done correctly?

Robert J. Hansen rjh at sixdemonbag.org
Wed Dec 4 02:20:07 CET 2013


On 12/3/2013 7:53 PM, Hauke Laging wrote:
> Sure but it makes little sense to play best practice in one part of key 
> management (expiration) and simultaneously worst practice (online mainkey) in 
> a much more important part of key management.

By introducing offline primary key storage on an air-gapped system, your
policy has become so complicated that no one, yourself included, is
capable of always following it to the letter.

A system so complex it cannot be used correctly, won't be used
correctly.  This is why avoiding expiration dates, offline key storage,
etc., often results in a stronger system: because by making it easier to
use correctly you increase both the likelihood it will be used at all,
and the likelihood it will be used correctly.




More information about the Gnupg-users mailing list