>>>>> On Fri, 6 Jul 2018, Marc Schiffbauer wrote: > * Michał Górny schrieb am 06.07.18 um 11:33 Uhr: >> If you don't see it for 5 years, how can you be sure that it is >> even still there?
> Are you serious? Who tells you that I do not check from time to > time? > I am sure there will always be some scenario which makes a key > unacessible in some way. I do not disagree with that. Its a matter > of propability. > And for the worst case there is a revoke-Certificate which can be > used. Note that the revocation certificate is still listed under recommendations only, so devs need not create one. Making this a requirement would be a real improvement, IMHO. Instead, the GLEP draft is focusing on short expiration times. It won't help much if your compromised key will expire within one year, but you cannot revoke it. Suggestions: - Change the minimum requirement for key expiry to at most 3 years (which is what in version 1 is recommended). - Recommend at most 15 months of key expiry, to be renewed at least 2 weeks before the expiry date. - Make creation of a revocation certificate (and storing it in a place separate from the key) mandatory. Ulrich
pgp6gC2VcLz1v.pgp
Description: PGP signature
