AW: Robot CA at

David Shaw
Sun Dec 8 13:03:02 2002

On Sat, Dec 07, 2002 at 04:53:36PM -0600, Kyle Hasselbacher wrote:
> Hash: SHA1
> On Sat, Dec 07, 2002 at 02:52:19PM -0500, David Shaw wrote:
> >My experience is different here - I was thinking a 1-year expiration
> >was reasonable.  Seems to me that nearly everyone I know I always
> >mailing me with "I got a new email address".
> I may be off my rocker, but I've been thinking "3 months" for expiration.
> I wonder if I'm crazy since every other suggestion I hear is longer.  Does
> anyone have evidence beyond the personal anecdotal about the lifetime of
> the average email address?

Well, it almost doesn't matter.  This detail isn't really so much a
matter of security as a matter of sanity.  Remember that every time
you sign a key, you add a new signature packet - and the old one stays
around as well.  If you are signing (and then re-signing) a key every
3 months, pretty soon the key will be huge and covered in your

The numbers you were looking for, by the way, are 31% of all email
addresses get changed every year:

I suspect you will find that your "repeat business" drops off
dramatically unless a mail client is going to automate this
every-3-months stuff.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson