Recommendations for handling (multiple) user IDs - personal and company ones
Branko Majic
branko at majic.rs
Sat Jun 8 11:35:07 CEST 2013
On Fri, 07 Jun 2013 13:22:04 -0700
Doug Barton <dougb at dougbarton.us> wrote:
> I'm not sure where you're getting this "15 years" number.
Up until now I've usually went with short-lived (1-2 years) keys. After
each period I'd simply replace them with completely new ones. Since
this can be a bit cumbersome, I wanted to set-up master key with a bit
longer validity period.
The 15 years felt good enough for me to have a nice longer-living trust
anchor without overdoing it (lots of X.509-based CAs out there have
validity of 20-25 years, but to me it feels a bit too long).
Of course, in case of some serious cryptographic attacks on RSA keys, I
may need to revoke the key long before those 15 years expire.
Truth be told, figuring out the validity of keys/certificates in PKI is
probably one of those things where you have to guess more than anything
else. In general, the way I see it it's a trade-off between convenience
and security (where security is actually very hard to figure out).
Best regards
--
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.
Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20130608/88778adf/attachment.sig>
More information about the Gnupg-users
mailing list