?
Solved

PGP Key Expiration

Posted on 2012-04-12
4
Medium Priority
?
1,163 Views
Last Modified: 2012-04-20
I have a question about managing PGP keys.

One of my trading partners, who will remain nameless to protect them, has been using the same key for a number of years and every year, they EDIT the key to change the expiration date instead of generating a new key.

I personally would prefer a new key instead of just editing the key expiration date.

I know they are just editing the expiration date because the PGP Key ID never changes.

I'm posting this to see if there is actually in fact a risk to using the same key.  I believe that there is.  I just need some confirmation or correction, if I am incorrect.

I've done some research, but I have not found anything that explicitly states that the date shouldn't be changed, but should instead be generated as a new key which will result in a new key ID.

I'm looking for any documentation or facts to support the theory that keys should be generated new instead of reused over a long period of time.
0
Comment
Question by:Jeff Darling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
wshark83 earned 2000 total points
ID: 37837874
i don't think it makes a difference ... who holds the master key....? if they hold the master key and the expiration date is only changed on the public key then its fine...

I know in the past i've used the pgp key where the both set of key's are set to never expiry
0
 
LVL 13

Author Comment

by:Jeff Darling
ID: 37838070
@wshark83

Thanks for your comment.  I agree, not having a key expire makes it easier to deal with, but I'm going to expect that keys will be replaced after a period of time.  the problem I have seen is that if the expiration is going to be used, I would prefer that they generate a new one when it expires.  

Its like, eh, I changed my mind, I don't want this key to expire, I know I will just extend the expiration date!

Meanwhile, all the partners that hold the public key think the key is expired and when they get a new one, it can be confusing when they see that the key ID is the same, just that the expiration has changed.
0
 
LVL 6

Expert Comment

by:wshark83
ID: 37841971
@jeffld totally agree its not very professional...

I would say that if they change the date then they should change the id and passphrase as well...I think the person who is manging the keys is being just point blank lazy....
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question