GnuPG key management - Revoke, delete or expire?

GnuPG key management - Revoke, delete or expire?

What's the best practice for eliminating keys you don't want?

So I figured out that I have an extra set of keys. What I want to know is if I should expire the ones I don't want or revoke them or something else? I've used them to sign emails but I don't think I've ever encrypted anything with them. I've already set an expiry date of tomorrow but should I bother keeping them or just revoke and then delete? I've already securely copied the correct keys from another machine. The expired keys were uploaded to the key server but IDK if that means the old ones were overwritten or if now there are two sets of keys up on the key server, one with an expiry set and one without?

答案1

If the keys are stored on key servers, deleting is not an option. It is not possible to delete anything from the key server network.

So, you are to consider between expiration and revocation. Expiration has the meaning of limiting the validity to a given date, while revocation is a statement "I won't use this key any more", with the possibility of giving a reason (superseded, compromised, ...). I would say, revoking a key with message "superseded" is a clearer statement than setting an expiration date.

For primary keys expiration is not an option anyway: an attacker getting hold of the private key (eg., because it is easier to crack it in future) could simply change the expiration date, and use the key again. This is not possible, if you shared a revocation certificate. Also see Does GPG key expiration add to security?, but be aware one of the answers given is simply wrong.

相关内容