On 09/01/2013 02:45 PM, Johan Wevers wrote: > Why? What's the advantage of that? I replace keys after I they have a > chance of being compromised, but not before. Same for my mail domain - I > created a ssh certificate that is valid for 50 years (unlimited was not > an option) and I'll replace it whan I fear intrusions or crypto > breakthroughs make it unsecure. Not before. >
The longer a key is in use the greater the chance of compromise. Just because you believe it has not been compromised doesn't make it so. By regenerating keys every so often you drastically lessen the chances of a key being compromised or of a possible compromise having as much effect on you. There is a reason things like IPSEC keys are renegotiated after so many minutes or after so many bytes are transmitted. :) -- Larry Brower, CCNA Fedora Ambassador - North America Fedora Quality Assurance lbro...@fedoraproject.org http://www.fedoraproject.org/
0x0806CF8B.asc
Description: application/pgp-keys
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users