diff options
author | Lars Wirzenius <liw@sequoia-pgp.org> | 2021-11-04 09:32:15 +0200 |
---|---|---|
committer | Lars Wirzenius <liw@sequoia-pgp.org> | 2021-11-04 09:32:15 +0200 |
commit | 1a9244dd8019d0ca17114ee48307ce542f38aca6 (patch) | |
tree | d52b070270b7468c268ea4cd5c5c6dd60491aa7c | |
parent | 76cd239ed211384bacac74d5161bd1205b408a1a (diff) | |
download | sq-user-guide-1a9244dd8019d0ca17114ee48307ce542f38aca6.tar.gz |
Add note about revocation update benefit to key expiration
Closes #18
-rw-r--r-- | sq-guide.md | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sq-guide.md b/sq-guide.md index b8bd9d3..d53e6db 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -542,12 +542,18 @@ key: if the key expires, others won't use it anymore. You can extend the expiration as often as you wish, although that requires getting your update certificate to everyone who needs to use it. +Another, more subtle benefit of expiring keys is that a short +expiration time (of, say, one year) forces everyone else to refresh +their copy of your certificate. This routine means they will also get +a revocation update for the key, if there's ever a need for that. + You can also set subkeys to expire. This has the same benefits as expiring the primary key. Changing expiration times can be a chore. There's a security benefit to it, but if it's inconvenient for you, you may want to consider not -expiring keys, or only expire subkeys. +expiring keys, or only expire subkeys. Despite the benefits, it's +better to have a non-expiring key than not have a key at all. ## Generating a key |