• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1458
  • Last Modified:

PGP Key Expiration

I have a question about managing PGP keys.

One of my trading partners, who will remain nameless to protect them, has been using the same key for a number of years and every year, they EDIT the key to change the expiration date instead of generating a new key.

I personally would prefer a new key instead of just editing the key expiration date.

I know they are just editing the expiration date because the PGP Key ID never changes.

I'm posting this to see if there is actually in fact a risk to using the same key.  I believe that there is.  I just need some confirmation or correction, if I am incorrect.

I've done some research, but I have not found anything that explicitly states that the date shouldn't be changed, but should instead be generated as a new key which will result in a new key ID.

I'm looking for any documentation or facts to support the theory that keys should be generated new instead of reused over a long period of time.
0
Jeff Darling
Asked:
Jeff Darling
  • 2
  • 2
1 Solution
 
wshark83Commented:
i don't think it makes a difference ... who holds the master key....? if they hold the master key and the expiration date is only changed on the public key then its fine...

I know in the past i've used the pgp key where the both set of key's are set to never expiry
0
 
Jeff DarlingDeveloper AnalystAuthor Commented:
@wshark83

Thanks for your comment.  I agree, not having a key expire makes it easier to deal with, but I'm going to expect that keys will be replaced after a period of time.  the problem I have seen is that if the expiration is going to be used, I would prefer that they generate a new one when it expires.  

Its like, eh, I changed my mind, I don't want this key to expire, I know I will just extend the expiration date!

Meanwhile, all the partners that hold the public key think the key is expired and when they get a new one, it can be confusing when they see that the key ID is the same, just that the expiration has changed.
0
 
wshark83Commented:
@jeffld totally agree its not very professional...

I would say that if they change the date then they should change the id and passphrase as well...I think the person who is manging the keys is being just point blank lazy....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now