On Thu, 5 May 2011 08:52, aheinl...@gmx.com said: > We have a OpenPGP key which we use for signing our software releases. > That key should be changed yearly and carry an expiration date to > enforce this change. However, for the signatures to be useful, the key > has to be signed by quite a lot of well-known people and institutions, > which means a considerable effort.
What I do is to prolong the expiration date shortly before the key expires. Further I use a smartcard to protect the signing key. A period key change is problematic because it confuses those who want to verify the signatures. BTW, the prolongation of the expiration time has showed (by means of a lot of complaining mails) that many folks don't refresh the key from time to time with the goal to retrieve revocation certificates. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
