I've heard it's good for security to have a shorter expiration time for GPG keys, but I'm still not clear on why that is exactly. Is the purpose of a GPG key mainly to inform the legitimate user that they ought to generate a key at some point? Or is it a genuine security feature rendering the key totally unusable after a certain date? If the purpose of the expiration time is the latter (or both), then I find it hard to imagine how you could actually rely on the expiration time as any form of a security precaution; an intruder could simply put the GPG key onto a computer with a rolled back system clock, and then proceed to use the key without any issues? Am I missing something here?
Asked
Active
Viewed 125 times
0
-
9The short answer: the only purpose of the expiration date is to give the key owner a way to tell other people that they ought not to trust the key after that date. If some other person in the world wants to be stupid and trust it anyway, by misconfiguring their system or by some other means, nobody can stop them, but they're not violating anyone else's security. – Nate Eldredge Oct 25 '21 at 23:27
-
@NateEldredge You could convert that to an answer and I would upvote it. – ThoriumBR Oct 27 '21 at 03:06