On Fri, 07 Jun 2013 13:22:04 -0700 Doug Barton <do...@dougbarton.us> wrote:
> I'm not sure where you're getting this "15 years" number. Up until now I've usually went with short-lived (1-2 years) keys. After each period I'd simply replace them with completely new ones. Since this can be a bit cumbersome, I wanted to set-up master key with a bit longer validity period. The 15 years felt good enough for me to have a nice longer-living trust anchor without overdoing it (lots of X.509-based CAs out there have validity of 20-25 years, but to me it feels a bit too long). Of course, in case of some serious cryptographic attacks on RSA keys, I may need to revoke the key long before those 15 years expire. Truth be told, figuring out the validity of keys/certificates in PKI is probably one of those things where you have to guess more than anything else. In general, the way I see it it's a trade-off between convenience and security (where security is actually very hard to figure out). Best regards -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
