On 09/16/2014 10:04 AM, Nicholas Cole wrote: > Can anyone explain to me why one would want to continue using a key > and yet not simply change the expiry date? I really find all of the > examples being given to be incredibly contrived.
"incredibly contrived" suggests that the people who are reporting the scenarios have made them up. I did not make up either example, and i doubt that Peter or Hauke did either. They simply happened, and we experienced them and are reporting them. Do you really think any of us made them up? > It takes no time at > all these days to change the date and distribute the new key. Yes, it is trivial to update the expiration and publish it if (a) you know how, and (b) you don't have an offline master key. In fact, for updating the primary key, it is just: gpg --edit-key $PGPID expire gpg --send-key $PGPID But sometimes, it is the encryption-capable subkey that is the thing that expired. in that case, it's a little bit more complex: gpg --edit-key $PGPID gpg> key 1 gpg> expire gpg> save gpg --send-key $PGPID of course, it might be "key 2" or something else if you have more than one subkey. i've definitely seen people update their primary key's expiration date and fail to update the expiration date of their subkey, so they have a valid cert, but it still can't be used for encryption. So they have to go back and do the second step later, after a poke from someone more knowledgeable about OpenPGP who figures out why no one can encrypt messages to them. Is it getting complicated enough yet for you to believe these real-world reports? The cost is not just the time to do it, it's the time to: 0) understand what needs to be done 1) figure out the interface to do it This is non-trivial, for most people: the context switch alone from "regular work" to "thinking about key management" is expensive and distracting. And it is also scary -- people who understand a little about key management have probably heard that if you screw it up, you can screw up pretty big, in unrecoverable ways. So there are both cognitive and emotional barriers to overcome, in addition to the time it takes. > As I've > said, if the tools to do this kind of thing easily do not exist, they > need to be created. Do you know of any tools that do this easily for users who don't already think about key management daily? I don't, unfortunately. And even if they exist, some people might not have access to them. I'm all for building those friendly key-management tools, i would love to see them. But we need to also let people use the tools we have in light of real-world scenarios. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users