Today is 2006-06-20, and five years ago I created the GnuPG key pair that I have been using ever since.
Possibly due to ignorance, I chose a key validity of one year and consequently stuck with that policy. Thus, every year on 20 June, I have to renew my master (signing) key and generate a new encryption key. And every year, on the days following 20 June, I will get several dozens (if not hundreds) of emails telling me that my key has expired, written by those who write emails faster than it takes to check for availability of the new key. Finally, my key now has hundreds of expired signatures, because it's GPG's default to expire signatures along with the master key.
This year, I took a step back and reassessed the choice. The result is that I am not expiring my master key anymore, but I will continue to provide a new encryption key every year, which will be valid for just a little more than a year.
Here are the reasons I found why you'd ever expire the master key:
the key is intended to be used only for a limited amount of time. This is not the case for me.
in case of loss of control and lack of revocation certificate, the key will eventually become unusable. First, I have a revocation certificate, and second, if I lose control over the key it should mean that someone figured out my passphrase, so could just extend the livetime of the key anyway.
And here are the reasons for the encryption keys:
if you do lose control over your key, all's lost anyway.
if an attacker manages to crack one key, s/he can only read communication of the year during which I used the key, but no past or future communication.
As always, I'd love to hear your input, and I'll post relevant follow-ups.
In the mean time, please make sure you refresh my key:
gpg --keyserver subkeys.pgp.net --recv-key 330c4a75 wget -qO- http://people.debian.org/~madduck/gpg/330c4a75.asc.gz \ | zcat | gpg --import
(Note: you can always get my latest key from the above URL)
You may also want to consider running
cron. I suggest doing so on
a ghost copy of your keyring though and then to merge from there,
or else you'll experience locking problems when trying to use the
keyring at the same time.