When you create or edit a key, the default option in GPG is not to set any expiration date. I set all my keys to expire after 1 year though. Here’s why.
Suppose the following scenario:
There can be many reasons why Alice hasn’t sent Bob a revocation certificate:
There can also be many reasons why Alice no longer wants to use the key:
If Alice has lost her secret key and Bob sends her an encrypted message, it’s just an inconvenience that she can’t decrypt the message. But if the secret key has been compromised and Bob wrongly believes that only Alice can decrypt his secret message, that could have grave consequences.
Whatever the reason, Alice doesn’t want anyone (including Bob) to use the key any more. But as long as the initial scenario persists, Bob will never know that, unless Alice has set an expiration date for her key.
The expiration date of a key tells Bob to no longer use the key after that date. If a key has expired or is soon to expire, Bob can check if Alice has issued her key again with a new expiration date or if she has issued a new key entirely.
If Alice sets all her keys to expire after 1 year, Bob has to check every year if Alice still uses the key if he wants to use it. And after 1 year, Alice can be sure that if there are any old public keys of hers out there that she has completely forgotten about, everyone knows not to use them any more (as long as the secret key hasn’t been compromised, because then someone could set a new expiration date).
So much for the advantages. The only disadvantage is that it’s a bit of work for you (you have to set a new expiration date if you still want to use the key after a year) and for others (they have to check if you still want to use the key after a year). But better to be safe than sorry. And don’t worry: you can always set a new expiration date for a key if you still have the secret key.
=> Set a new expiration date for a key
EOF
text/gemini; lang=enThis content has been proxied by September (ba2dc).