[ale] PGP Subkey Expiration
Jeremy T. Bouse
jeremy.bouse at undergrid.net
Sun Feb 1 20:48:54 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My policy is to go the route of option #3... I issue new subkeys
according to my published key policy [1] with an expiration of usually
24 months, never more than 30. I issue the new subkeys before the old
ones expire and get them out to the key servers. After I've given time
for the new subkeys to get out I think send out the revocation certs for
the subkeys.
I've ran into issues before with odd behavior with expired keys that
haven't been revoked causing false positive alerts.
Regards,
Jeremy
[1] http://undergrid.net/legal/gpg
Andrew Grieser wrote:
> I have a pgp/gpg subkey that is about to expire (the encryption subkey is expiring, not the master signing key), and was wondering which action to take:
>
> 1) Extend expiration date
> 2) Let encryption subkey expire and generate a new encryption subkey
> 3) Let encryption subkey expire AND revoke it, and generate a new encryption subkey
>
> Just wondering what normal practice was on this. The reason I initially put an expiration date on the subkey was in case I ever lost the keys and/or paranoia.
>
> Andrew
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iF0EARECAB0FAkmGUP4WGGhrcDovL3N1YmtleXMucGdwLm5ldAAKCRCagQNPdb5V
OdEVAKDjdurCWIXC40SXA906Edcryh6yigCfQX5i9jfv907aafTXklzf24g5yUI=
=lkTw
-----END PGP SIGNATURE-----
More information about the Ale
mailing list