Something for the backlog, I get some questions how you handle expiry dates in a similar workflow to an S/MIME CA for OpenPGP.

The S/MIME CA certifies your key for e.g. 2y. In OpenPGP Kleopatra always certifies indefinetly. This is ok for the web of trust identity based workflow, but when the identity is based on a company or a CA trust there expiry dates would help in cases no online contacts and key refreshs happen.

It should imo be hidden in the Advanced field of Kleopatra with the logic that the other fields have there that if they were enabled the last time you made a certification then it should be enabled too for the next one.

I think we do not need a gui to change the expiration date of a UID signature (certification) because you can just do another certification with a different date. But I'm not 100% sure what GnuPG does in the case that you had an expiry never uid signature, didnt revoke that and just add another one with expiry 2y for example.