Thanks for the amusing responses. With our new knowledge of who actually reads our emails, rules for cycling passwords have lost pride of place in a ranking of things-to-worry-about.
I intended the question to be answered in the context of the post by Henrique de Moraes Holschuh, where 'across security domains' is considered less desirable than 'across hosts'. I know what hosts are when writing computer stuff, but, come to think about it what does it mean to rotate keys? Is the idea that a particular key string is to be reused on some host after it has been removed from service on some other host? I had thought that it was best to never use a retired key string again - but security is tricky - maybe there might be some point in using old strings as the keys on some (unmentioned) honey pot servers. On 20130727_162740, Paul E Condon wrote: > On 20130727_140629, Henrique de Moraes Holschuh wrote: > > On Sat, 27 Jul 2013, Brian wrote: > > > On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote: > > > > On 07/26/2013 11:26 PM, Brian wrote: > > > > > Does this 'good idea' have reasons to support it? > > > > > > > > It is for much the same reasons that passwords are rotated. It was > > > > mainly this draft that convinced me: > > > > > > > > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 > > > > > > > > It mentions rotating the keys in several places. > > > > > > Thank you, that was an interesting read. The focus of the draft is on > > > organisations which utilise SSH keys extensively, so in such a situation > > > I can understand a recommendation for key rotation because ignoring it > > > may have disastrous consequences. Users with small networks and with > > > well managed access to them would rarely have a need to change passwords > > > or keys at predetermined intervals. > > > > If you have that key sitting anywhere outside of a hardened smartcard, you > > should rotate it every so often, in case someone managed to snag a copy of > > it while you were not paying attention. It is NOT too much pain to rotate > > keys once an year, unless you're doing it wrong in the first place. > > > > It is also good practice to never share the same key across hosts (or if > > that's impratical, across security domains), and to have specific keys for > > I'm lurking here, hoping to learn things: > In this case, what is a 'security domain'? > Don't make fun of me. I really haven't, to my memory, come across the > term, before. > > > specific services. This practice can greatly reduce the damage caused by a > > compromised key. > > > > > > -- > Paul E Condon > pecon...@mesanetworks.net > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20130727222740.GA19973@big > -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130728053748.GB20388@big
