home of the madduck/ blog/
GPG keys expire

Today is 2006-06-20, and five years ago I created the GnuPG key pair that I have been using ever since.

Possibly due to ignorance, I chose a key validity of one year and consequently stuck with that policy. Thus, every year on 20 June, I have to renew my master (signing) key and generate a new encryption key. And every year, on the days following 20 June, I will get several dozens (if not hundreds) of emails telling me that my key has expired, written by those who write emails faster than it takes to check for availability of the new key. Finally, my key now has hundreds of expired signatures, because it's GPG's default to expire signatures along with the master key.

This year, I took a step back and reassessed the choice. The result is that I am not expiring my master key anymore, but I will continue to provide a new encryption key every year, which will be valid for just a little more than a year.

Here are the reasons I found why you'd ever expire the master key:

And here are the reasons for the encryption keys:

As always, I'd love to hear your input, and I'll post relevant follow-ups.

In the mean time, please make sure you refresh my key:

gpg --keyserver subkeys.pgp.net --recv-key 330c4a75
wget -qO- http://people.debian.org/~madduck/gpg/330c4a75.asc.gz \
  | zcat | gpg --import

(Note: you can always get my latest key from the above URL)

You may also want to consider running gpg --refresh-keys from cron. I suggest doing so on a ghost copy of your keyring though and then to merge from there, or else you'll experience locking problems when trying to use the keyring at the same time.