Solved

PGP Key Expiration

Posted on 2012-04-12
4
1,027 Views
Last Modified: 2012-04-20
I have a question about managing PGP keys.

One of my trading partners, who will remain nameless to protect them, has been using the same key for a number of years and every year, they EDIT the key to change the expiration date instead of generating a new key.

I personally would prefer a new key instead of just editing the key expiration date.

I know they are just editing the expiration date because the PGP Key ID never changes.

I'm posting this to see if there is actually in fact a risk to using the same key.  I believe that there is.  I just need some confirmation or correction, if I am incorrect.

I've done some research, but I have not found anything that explicitly states that the date shouldn't be changed, but should instead be generated as a new key which will result in a new key ID.

I'm looking for any documentation or facts to support the theory that keys should be generated new instead of reused over a long period of time.
0
Comment
Question by:Jeff Darling
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
wshark83 earned 500 total points
ID: 37837874
i don't think it makes a difference ... who holds the master key....? if they hold the master key and the expiration date is only changed on the public key then its fine...

I know in the past i've used the pgp key where the both set of key's are set to never expiry
0
 
LVL 12

Author Comment

by:Jeff Darling
ID: 37837913
0
 
LVL 12

Author Comment

by:Jeff Darling
ID: 37838070
@wshark83

Thanks for your comment.  I agree, not having a key expire makes it easier to deal with, but I'm going to expect that keys will be replaced after a period of time.  the problem I have seen is that if the expiration is going to be used, I would prefer that they generate a new one when it expires.  

Its like, eh, I changed my mind, I don't want this key to expire, I know I will just extend the expiration date!

Meanwhile, all the partners that hold the public key think the key is expired and when they get a new one, it can be confusing when they see that the key ID is the same, just that the expiration has changed.
0
 
LVL 6

Expert Comment

by:wshark83
ID: 37841971
@jeffld totally agree its not very professional...

I would say that if they change the date then they should change the id and passphrase as well...I think the person who is manging the keys is being just point blank lazy....
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question