Re: Check your signing key expiration dates!

To: debian-user@lists.debian.org
Subject: Re: Check your signing key expiration dates!
From: Nate Bargmann <n0nb@n0nb.us>
Date: Sun, 7 Jul 2019 13:28:27 -0500
Message-id: <[🔎] 20190707182827.eu3vobfgezdy4r2v@n0nb.us>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 87y319ydai.fsf@iki.fi>
References: <[🔎] 20190707170335.h27hiuk5zoutkxbd@n0nb.us> <[🔎] 87y319ydai.fsf@iki.fi>

* On 2019 07 Jul 12:19 -0500, Teemu Likonen wrote:
> Nate Bargmann [2019-07-07T12:03:35-05] wrote:
> 
> > Within the past day I have received two mails via the debian-announce
> > list (I recently subscribed), and have seen some on this list where I
> > am seeing the output from gpgme in neomutt that the signing key
> > expired some time ago. Not expired within the past days but months or
> > almost a couple of years ago. As I have my signing key set not to
> > expire, I'm not sure if gnupg is issuing a warning about an expired
> > key to those senders.
> 
> You need to update your copy of the keys. Those developers have very
> likely updated the expiration day and moved it again to some point in
> the future. Debian developers' keys can be updated with WKD protocol
> usign their debian.org email address:
> 
>     gpg --auto-key-locate clear,nodefault,wkd --locate-key dev@debian.org

I don't know how many thousand keys are in my database so this is going
to be a slow process.

What to do for keys that don't have an associated WKD?  I just learned
about WKD this past week when reading about the key poisoning via the
SKS network mentioned in another mail, but apparently this is something
that is going to have to be implemented for every email domain.  While
it is probably good in its own right, the centralized SKS network is
easy to use and point gnupg toward.  In my not so educated opinion, it
seems that the SKS network should do a validation for any uploaded or
updated key.

> It's good idea to have expiration date in PGP keys. If the owner loses
> his key (or the owner dies!) and can't revoke the key or can't send the
> revocation certificate everywhere then at least the expiry date takes
> care of invalidating the key.
> 
> Expiration date is also hint for other people that they may need to
> update the key.

If you check my signing key, it was created in May 2000!  Perhaps that
is a bit long in the tooth as it is only 1024 bits.  I suppose I should
consider a new signing key with a reasonable expiry date.

- Nate

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Web: https://www.n0nb.us  GPG key: D55A8819  GitHub: N0NB

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Check your signing key expiration dates!
  - From: Teemu Likonen <tlikonen@iki.fi>

References:
- Check your signing key expiration dates!
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: Check your signing key expiration dates!
  - From: Teemu Likonen <tlikonen@iki.fi>

Prev by Date: Re: Check your signing key expiration dates!
Next by Date: Change the keyboard shortcut to switch tty.
Previous by thread: Re: Check your signing key expiration dates!
Next by thread: Re: Check your signing key expiration dates!
Index(es):
- Date
- Thread