Re: Web of Trust work [Was: kernel.org tooling update]

[Linus Torvalds <torvalds@linux-foundation.org>]

On Tue, 27 Jan 2026 at 00:39, Uwe Kleine-König <ukleinek@kernel.org> wrote:
>
> Thanks for the link. I was aware that Linus isn't a big fan of PGP and
> GnuPG. Still I think that having an expiration for your PGP certificates
> is a very sensible thing.

I have never ever seen any good reason for automatic expiration, and
it causes actual real problems because *NOBODY* ever renews those
expiration in time and makes sure that they actually percolate out.

We literally had that happen just last week, and that was with a
person that is supposed to be an *expert* in those things, and that
uses fancy DNS key distribution etc.

So no. No expiration dates. They are stupid and do not work in
practice. End of story.

They are ALSO stupid because they make old signatures *look*
untrusted. Just go and do

    git log --show-signature @{15.years.ago}

and look for 'expired'. It's all just sad and pointless, . What
matters was whether that key was trusted AT THAT POINT IN TIME, not
whether it's trusted now. But that's not how things work.

And here is why they are completely pointless: a key that is no longer
trusted should be *REVOKED*.

And no, I'm not talking about the (bad) support that PGP itself has,
which requires a revocation key that nobody ever actually has.

Sure, if you have a revocation key, by all means use it, but I doubt
it has ever been used in any form in reality except for testing.

So when I say "revoke it", I'm talking about just letting people know
that a key is no longer trustworthy, and then they should remove it
from their keychain.

(And no, you shouldn't randomly and automatically add keys from people
just because of some "I can reach it with a web of trust", so your
keychain shouldn't be in a situation where some old untrusted key
randomly then gets added back)

Because once the key is no longer trustworthy, some "it will expire in
two years" is COMPLETE AND UTTER GARBAGE.

WTF? You'd have to be completely insane to think that is an acceptable
or sensible in *ANY* form. It's too stupid for words, I don't
understand how anybody can even entertain that kind of complete
bullshit.

So stop with the idiotic key expiration garbage. It's completely
unacceptable because it doesn't work in practice, and IT IS INCREDIBLY
STUPID TO BEGIN WITH.

In practice, the only thing it results in is that when people lose
their private keys, they eventually expire, but why should anybody
care about that? If the key is lost, it's become *more* secure, for
chrissake.

Any web of trust that actively encourages idiocy is not a web of trust
I want to have anything to do with.

Yes, this is a pet peeve of mine. PGP is UX a disaster to begin with,
the key distribution sucks, and expiry dates just make everything
worse.

             Linus