[2013-01-29 04:51:49 +0100] Karol Babioch: > Am 29.01.2013 04:37, schrieb Gaetan Bisson: > > Dave's answer certainly misses the real question of why Thorsten would > > want an expiration date on his GPG key, > > Because its good and common practice. There are several reasons for > this, one of which is a compromise. When you got compromised and lose > your revocation certificate, too, the key will expire at some point in time. So instead of impersonating you for the rest of your life, the attacker who compromised your key can only do so for a whole year? Well, only a few hours generally suffice for them to cause terrible damage - that is certainly true with Arch's package signing infrastructure. Expiring keys trade ease-of-use for a fake sense of security, so better avoid them and actually secure your key and revocation certificates. > I'm not sure about GPG, but in case of X.509 it also helps to keep the > certificate revocations lists (CRL) short, as certificates, which are > expired anyway, don't have to be listed here explicitly. In my opinion, that's a moot technical point which does not concern GPG. Cheers. -- Gaetan
Attachment:
pgpV_IPT0pjWQ.pgp
Description: PGP signature
