On 07/20/2010 10:36 AM, Clint Adams wrote: > On Tue, Jul 20, 2010 at 09:33:42AM -0500, John Goerzen wrote: >> keys; that's their preference and choice. I just want to make sure my >> own key won't be rejected by Debian or the keysigning if it lacks an >> expiration date. > > It won't; I have no intention of ever setting one. I agree that expiration dates do not protect against malicious control of a key. What they do is provide a dead-man switch in case of hardware failure or other accidental destruction of the key material. Expiration events also encourage regular review of use of the key, by requiring new self-sigs every few years. These are opportunities to update the list of supported algorithms (as our tools change), or to swap out keys altogether. They also indicate to users that the key is actually still active, and the keyholder is using it. I agree that expirations are not a cryptographic safeguard against malicious use. But i think they are a demonstration of (and an encouragement toward) engaged and conscious use of the key, which is why i included them in the "best practices" list in the first place. The lack of an expiration date on the keys of people who are otherwise engaged doesn't mean they're not doing the right thing. But the presence of one suggests that the user is at least thinking actively about their key every few years, which is unfortunately probably not the case for many keys on the public keyservers (and for some keys in the debian keyring). As one concrete example: Imagine if the folks sending out the WAT ping didn't need to agonize over setting their own specific deadline in every case, but had a self-set deadline already present for most DDs. We could automatically cull a decent proportion of inactive DDs directly if their keys expired and they couldn't be bothered to maintain them. Those of you who do manage your keys properly and take them seriously already wouldn't have trouble with this arrangement. Folks who don't might be encouraged to think more strongly about what it means to manage their digital identity (which we all rely on in the project) So i still think it's a Best Practice and should be encouraged, but i agree that debian should not mandate it at the moment. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature