Best practice for periodic key change?

Jeffrey Walton noloader at gmail.com
Fri May 6 08:20:54 CEST 2011


On Thu, May 5, 2011 at 4:10 PM, Doug Barton <dougb at dougbarton.us> wrote:
> On 05/04/2011 23:52, Andreas Heinlein wrote:
>>
>> We have a OpenPGP key which we use for signing our software releases.
>> That key should be changed yearly and carry an expiration date to
>> enforce this change.
>
> What are you trying to accomplish by doing it this way? I've yet to see a
> good rationale for setting expiration dates on keys, but perhaps you can be
> the first. :)
I would guess that Andreas is practicing Key Management
(http://www.cacr.math.uwaterloo.ca/hac/about/chap13.pdf). I've also
seen similar arise in compliance and auditing.

Jeff



More information about the Gnupg-users mailing list