On Donnerstag, 22. Januar 2026 15:46:24 Mitteleuropäische Normalzeit Bernhard Reiter via Gnupg-devel wrote: > Am Dienstag 20 Januar 2026 07:31:21 schrieb Ben Kibbey: > > Is it normal behavior to add a subkey whose expiration is after a > > primary key
I don't think that this makes any sense because such a subkey wouldn't be usable after the expiration of the primary key. The usual case is to set no expiration for a new subkey so that the subkey expires together with the primary key. The alternative is to add a subkey with an expiration (long) before the primary key because one wants to rotate the subkey but one wants to keep the primary key for a longer period of time. > > If so, it may be good to issue a warning during > > --edit-key that a subkey expiration is later than the primary since one > > would have to change the expiration of both the primary and subkeys to > > make use of them. > > --edit-key is a low level operation, I wonder what expert GUIs like > Kleopatra would allow. And if it is worth the effort to add a warning here. Kleopatra doesn't let you specify an expiration past the (current) expiration of the primary key when you add a new subkey. Of course, you can change the expiration of the primary key to an earlier date after adding the new subkey and explicitly tell Kleopatra not to set the expiration of the subkeys to the same date. Kleopatra won't try to prevent you from shooting yourself in the foot if you really insist on doing so. Regarding gpg I don't think any warning is necessary. If you use a powerful tool like gpg then you better know what you are doing. Moreover, a subkey which expires after the primary key won't do any harm. If you want to continue using the subkey then you can simply extend the lifetime of the primary key. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
