[Discuss] Expired gpg key

[invalid at pizzashack.org (Derek Martin)]

On Thu, Oct 03, 2013 at 05:02:57AM -0400, John Abreau wrote:
> It should be noted that if the key is expired, then most likely all
> previous signatures on it are almost certainly also expired.

Signatures don't expire, though the keys used to sign them might...
but this may not be interesting depending on how you--and the people
you communicate with--manage your keys.  See below.

> And I'm not sure if the key servers will accept an extension of the
> expiration date, at least after it's already expired.  

They will, though you may need to use a key server that understands
OpenPGP and subkeys...  I believe the MIT PGP key server STILL does
not, which (if it is true) is shameful.  I expire and update my key
every year...  generally only once I've noticed it's expired.  John,
you should have my key, id 81CFE75D; you signed it in 2001. :)  If
you've not been refreshing your keys, you'll most likely see that it
is expired, probably in 2002, or at the latest 2003 (I'm quite
positive I attended no key signings since I moved to South Korea).
But if you search the key servers for that key ID, you will see that
it is not!

Or you could just refresh my key and then check it again:

  gpg  --keyserver hkp://subkeys.pgp.net --recv-keys F73655D5

You will also see, if you --list-sig on it, that your signature is
still there and is perfectly valid.  There is only one date ascribed
to your signature: the date which you signed the key.

>  If I'm remembering correctly, I think I ran into this problem
>  several years ago when I tried to extend the expiration date on one
>  of my keys.

Older PGP key servers had a variety of problems, I'm not sure if this
was one of them... it may well have been.  Switch to a key server that
uses subkeys and you'll be fine.

As to whether or not you should bother to expire your keys, this is
from the GNU Privacy Handbook:

  http://www.gnupg.org/gph/en/manual.html#AEN26

    For most users a key that does not expire is adequate. The
    expiration time should be chosen with care, however, since
    although it is possible to change the expiration date after the
    key is created, it may be difficult to communicate a change to
    users who have your public key.

However, it is only difficult because people may not be diligent about
their key management.  I have the following entries in my crontab:

  0 3 * * 5 /usr/bin/gpg --send-key 81CFE75D DFBEAD02 >/dev/null
  5 3 1,15 * * /usr/bin/gpg --refresh-keys >/dev/null
  
These ensure that:

1) whenever I update my key, the newest version of it will be sent to
   the key servers, for others to refresh from.
2) Whenver any of the people whose keys I have update their keys and
   send them to the key servers, I get the latest versions of them.
3) Whenever someone else signs my keys and uploads their signed copy
   of my public key to the key servers, I get their signature attached
   to my local copy of the key.

You could do something similar to keep all your keys and signatures
current.

Though I can not quickly find any reference to this idea now, I have a
vague (possibly wrong) memory that they used to recommend that you set
NO expiration on your signing key, but only expire encryption keys.
This way, your signing key retains any signatures it ever had, and
others can trust your new encryption keys because they will be signed
by your existing signing key.  I generally did this in the past, but
I've gotten lazy and now just renew my existing keys.  It's not
required to expire any of your keys, and if you are a "normal" person
(one who is not particularly likely to be attacked due to the
sensitivity of your communications), you probably really don't need to
worry about expiring your keys, as the manual suggests.  It's still
good practice if you're paranoid...  After all, your situation could
change and you could suddenly find yourself in a position where your
communications might be targeted.  Of course, if your adversary is the
NSA, you're out of luck regardless. =8^)

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.