Joi Ito's Web

Joi Ito's conversation with the living web.

I realized that I haven't made a new PGP key in a while. I just installed the new PGP and made a new key. I've signed it with all of the old keys that I can remember the passwords for and revoked the second to the oldest one. The most recent one still works, but please switch to this one as soon as you can.

Here is the public key: joi.asc and here is the fingerprint: B652 199B 6996 219B 62AE 6364 E349 8387 783D 4E0A

I keep wondering if I should make expiring keys, but it seems like it would be inconvenient as well. What do you all do?


I've just discussed this issue with some cypherpunks at WhatTheHack. They thought really practical about it, and told me it's better to make a non-expiring key and have one, than to always have it expire, and then be without key until you finally get around to making a new one and getting it signed. For most people, adoption and usability are are bigger issues right now than best-possible security.

I think i'll aim for the middle ground, and simply choose a more reasonable expiration date (4 years?).

Well, I usually make 1 year keys I extend when I want to keep them.
Sometimes it's usefull to have very short keys designed to a single action, but I prefer to keep them for a while.

i always have 2 set of keys...
for large keys and for me its the maximum pgp can churn out, i'll make it non expiring key
for the smaller keys that i normally uses for signing documents and files for public consumption i'll have 5-12 months expiration. but its just practical that for smaller keys to have shorter expiration due to the fact that we will never now how soon it will be crack.Its just absurd to make a small key and have no expiration knowing in 10 years or less it could be vulnerable and eventually useless.

You could make one certification key whose primary purpose is only to further the WoT (signing and being signed) that has a long expiry date and keep it more securely. This in turn signs a everyday use GPG key that has a lifetime of a couple of years.

Having recently participated in yet another GPG key signing party made me reconsider my whole GPG key handling strategy:

1. Should I sign the key of absolutely everyone whose credentials I was able to verify during the key signing party?

A: Nope. Apply the same trust realtionships as in real life and only sign the keys of people you actually know and positively trust. Old online acquaintances you finally get around meeting in the flesh for the first time count as trustable, if you've known each other for long enough and have learned to trust one another via successfull common projects.

2. Should my key include every e-mail address I've ever been known to use and then some?

A: Nope. Only include addresses that are guaranteed to be reachable for a reasonably long period and that you won't mind seeing published in plain view where Web spiders can harvest them (e.g. after being published online in a printable key list, in prevision of an upcoming key signing party). Old keys that include every e-mail address you've ever had should be promptly revoked!

3. Should the key have a reasonable expiry date?

A: Recent keys that only list meaningfull e-mail adresses and that have been handled with proper care should probably have a reasonable expiry (say, 2-3 years from the creation date) and should be created on a day that would offer a mnemonic tool to remind you to check if the key has expired yet. Anyhow, you can always extend the expiry, if you know for fact that the key has not been compromised, as needed.

4. Should I have multiple GPG keys or just a single key?

A: One key for personal ventures and one key for the dayjob ought to be enough. Only submit the relevant key for key signing parties, please! Don't ever submit every damn key you've ever owned! If you do, I won't sign any of them. Besides, if you have more than two GPG keys, you really ought to get a life! :-P

I'm still in the process of rolling out the procedure myself.

I guess one reason, why I realized the above issues only now, is because every GPG/PGP FAQ out there focuses on the command options you need to perform certain manipulations on a key, rather than on recommended practices for PKI usage in general. *sigh*

I use keys that expire in five years. I plan to extend them when the expiration date comes close. In reality, however, I lost access to all my secret keys before they expired. So now I'm glad they are expiring, because I can't even revoke them anymore. That's the number one reason I want expiring keys.

(shill mode: ON)

Now the real question is: have you uploaded it to the PGP Global Directory so that everyone can find it and use it automatically?

(Disclosure: I'm a Product Manager for PGP Corporation)

apparently yes , his in the directory.

Why don't you use the CodeBlock program.
You can encode the email, and file.
You can download the program in

1 TrackBacks

Listed below are links to blogs that reference this entry: New PGP Key.

TrackBack URL for this entry:

Taking a hint from Joi, I've set up a new PGP key. If that means anything to you then here... Read More