AW: Robot CA at toehold.com
David Shaw
dshaw@jabberwocky.com
Sun Dec 8 13:03:02 2002
On Sat, Dec 07, 2002 at 04:53:36PM -0600, Kyle Hasselbacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, Dec 07, 2002 at 02:52:19PM -0500, David Shaw wrote:
>
> >My experience is different here - I was thinking a 1-year expiration
> >was reasonable. Seems to me that nearly everyone I know I always
> >mailing me with "I got a new email address".
>
> I may be off my rocker, but I've been thinking "3 months" for expiration.
> I wonder if I'm crazy since every other suggestion I hear is longer. Does
> anyone have evidence beyond the personal anecdotal about the lifetime of
> the average email address?
Well, it almost doesn't matter. This detail isn't really so much a
matter of security as a matter of sanity. Remember that every time
you sign a key, you add a new signature packet - and the old one stays
around as well. If you are signing (and then re-signing) a key every
3 months, pretty soon the key will be huge and covered in your
signatures.
The numbers you were looking for, by the way, are 31% of all email
addresses get changed every year:
http://www.destinationcrm.com/articles/default.asp?ArticleID=2578&TopicID=2
I suspect you will find that your "repeat business" drops off
dramatically unless a mail client is going to automate this
every-3-months stuff.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson