{"id":750,"date":"2018-08-13T17:35:21","date_gmt":"2018-08-13T15:35:21","guid":{"rendered":"https:\/\/blogs.gentoo.org\/mgorny\/?p=750"},"modified":"2018-08-13T18:28:13","modified_gmt":"2018-08-13T16:28:13","slug":"openpgp-key-expiration-is-not-a-security-measure","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/mgorny\/2018\/08\/13\/openpgp-key-expiration-is-not-a-security-measure\/","title":{"rendered":"OpenPGP key expiration is not a\u00a0security measure"},"content":{"rendered":"<p>There seems to be\u00a0some recurring confusion among Gentoo developers regarding the\u00a0topic of\u00a0OpenPGP key expiration dates.  Some developers seem to believe them to be\u00a0some kind of\u00a0security measure \u2014 and\u00a0start arguing about its weaknesses.  Furthermore, some people seem to think of\u00a0it as\u00a0rotation mechanism, and\u00a0believe that they are expected to\u00a0generate new keys.  The\u00a0truth is, expiration date is\u00a0neither of\u00a0those.<\/p>\n<p><!--more--><\/p>\n<p>The\u00a0key expiration date can be updated at\u00a0any time (both lengthened or\u00a0shortened), including past the\u00a0previous expiration date.  This is a\u00a0feature, not a\u00a0bug.  In\u00a0fact, you are <em>expected<\/em> to\u00a0update your expiration dates periodically.  You certainly <em>should not<\/em>\u00a0rotate your primary key unless really necessary, as\u00a0switching to a\u00a0new key usually involves a\u00a0lot of\u00a0hassle.<\/p>\n<p>If\u00a0an\u00a0attacker manages to compromise your primary key, he can easily update the\u00a0expiration date as\u00a0well (even if\u00a0it expires first).  Therefore, expiration date does not really provide any added protection here.  Revocation is the\u00a0only way of\u00a0dealing with compromised keys.<\/p>\n<p>Expiration dates really serve two purposes: naturally eliminating unused keys, and\u00a0enforcing periodical checks on\u00a0the\u00a0primary key.  By\u00a0requiring the\u00a0developers to\u00a0periodically update their expiration dates, we also implicitly force them to\u00a0check whether their primary secret key (which we recommend storing offline, in\u00a0a\u00a0secure place) is still present and\u00a0working.  Now, if\u00a0it turns out that the\u00a0developer can&#8217;t neither update the\u00a0expiration date nor\u00a0revoke the\u00a0key (because the\u00a0key, its backups and\u00a0the\u00a0revocation certificate are all lost, damaged or\u00a0the\u00a0developer goes MIA), the\u00a0key will eventually expire and\u00a0stop being a\u00a0\u2018ghost\u2019.<\/p>\n<p>Even then, developers argue that we have LDAP and\u00a0retirement procedures to\u00a0deal with that.  However, OpenPGP keys go beyond Gentoo and\u00a0beyond Gentoo Infrastructure.  We want to encourage good practices that will also affect our users and\u00a0other people with whom developers are\u00a0communicating, and\u00a0who have no\u00a0reason to\u00a0know about internal Gentoo key management.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There seems to be\u00a0some recurring confusion among Gentoo developers regarding the\u00a0topic of\u00a0OpenPGP key expiration dates. Some developers seem to believe them to be\u00a0some kind of\u00a0security measure \u2014 and\u00a0start arguing about its weaknesses. Furthermore, some people seem to think of\u00a0it as\u00a0rotation mechanism, and\u00a0believe that they are expected to\u00a0generate new keys. The\u00a0truth is, expiration date is\u00a0neither of\u00a0those.<\/p>\n","protected":false},"author":137,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/750"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/users\/137"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/comments?post=750"}],"version-history":[{"count":10,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/750\/revisions"}],"predecessor-version":[{"id":761,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/posts\/750\/revisions\/761"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/media?parent=750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/categories?post=750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/mgorny\/wp-json\/wp\/v2\/tags?post=750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}