Page MenuHome GnuPG
Create Task
Maniphest T2701

Do not let users create keys without an expiration date
Closed, ResolvedPublic
Actions

Description

Rationale:

Users are clumsy, they will lose access to their secret key material, they will
lose the revocation certificate, and if the keys do not expire, there is no way
to get rid of them.

Plan:

Do not let users create keys without an expiration date unless they are in
--expert mode.

Usability considerations:

We should explain that it is possible to renew a key, and that it is not a huge
problem to forget to renew the key in time.

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032298.html

Revisions and Commits

rG GnuPG
rG8613230602ca gpg: Set default expiration date to 3 years.
rGbaa88832153d gpg: Set default expiration date to 3 years.
rKLEOPATRA Kleopatra
rKLEOPATRAd523249631de Change default expiry to three years in Kleo, too

Related Objects

Event Timeline

justus added projects: gnupg (gpg22), Feature Request, gnupg.Sep 23 2016, 11:51 AM
justus added a subscriber: justus.
werner added a subscriber: werner.Sep 28 2016, 9:35 AM

By renew you mean prolonging the expiration time?

To add this new default we should first add a --quick-set-expire command to make
it easier to change the expiration time. Or --quick-expire to match the name
used in --edit-key - I don't care. And of course gpgme needs a new API.

werner raised the priority of this task from Wishlist to Normal.Sep 28 2016, 9:35 AM
werner added a comment.Dec 5 2016, 9:26 AM

I'll take the --quick-set-expire command. -wk

werner added a comment.Dec 5 2016, 12:22 PM

--quick-set-expire now available.

justus added a comment.Dec 5 2016, 1:44 PM

Thanks!

werner added a comment.Dec 6 2016, 9:55 PM

Would you mind to write to gnupg-devel and ask for comments on your proposal?
In particular on how long the default expiration time shall be. 12, 18, or 24
months?

justus added a comment.Dec 9 2016, 2:56 PM

Partially addressed in d568a1561642ed9b7b7b6282b86c56786d10a956.

justus added a comment.Dec 13 2016, 4:53 PM

--quick-keygen fixed in dd3dde07a9a46130ac01d849f8edf0566e44f11f.

The default expiration interval has been discussed on the mailing list. There
was a rough consensus on two years, which has been challenged by Neal who thinks
it is too short given the current state of the tools, but the ensuing discussion
did not revolve around the time span, so I'm keeping my two years for now. In
any case, it is easy to adjust.

I decided to not change the --full-key-gen, because a) the user asked for it, b)
changing that requires breaking up a large chunk of translated text, and I do
not want to do that right now (a release is imminent).

justus closed this task as Resolved.Dec 13 2016, 4:53 PM
justus set External Link to https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032298.html.
werner added a comment.Jun 5 2023, 3:06 PM

To align the default expiration time with the BSI approval and other related software we change this now to 3 years.

werner added a commit: rGbaa88832153d: gpg: Set default expiration date to 3 years..Jun 15 2023, 11:17 AM
werner mentioned this in T6509: Release GnuPG 2.4.3.Jul 4 2023, 4:57 PM
werner added a commit: rG8613230602ca: gpg: Set default expiration date to 3 years..Jul 5 2023, 11:31 AM
werner removed a project: gnupg.Jul 5 2023, 2:47 PM

Also done for 2.2.

aheinecke added a commit: rKLEOPATRAd523249631de: Change default expiry to three years in Kleo, too.Jul 6 2023, 12:01 PM
werner mentioned this in T6307: Release GnuPG 2.2.42.Nov 28 2023, 4:59 PM
werner mentioned this in T7189: Release GnuPG 2.5.0.Jul 5 2024, 2:42 PM