AW: Robot CA at toehold.com

[Kyle Hasselbacher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Dec 08, 2002 at 07:04:04AM -0500, David Shaw wrote:
>On Sat, Dec 07, 2002 at 04:53:36PM -0600, Kyle Hasselbacher wrote:

>> I may be off my rocker, but I've been thinking "3 months" for expiration.
>> I wonder if I'm crazy since every other suggestion I hear is longer.  Does
>> anyone have evidence beyond the personal anecdotal about the lifetime of
>> the average email address?
>
>Well, it almost doesn't matter.  This detail isn't really so much a
>matter of security as a matter of sanity.  Remember that every time
>you sign a key, you add a new signature packet - and the old one stays
>around as well.  If you are signing (and then re-signing) a key every
>3 months, pretty soon the key will be huge and covered in your
>signatures.

Tangent:  why don't OpenPGP implementations discard expired data?  I can
understand holding a revoked key so you don't reimport it as unrevoked, but
stuff that's expired is just useless, useless, useless.  Or am I missing
something?  Are we worried that my clock is wrong?

>The numbers you were looking for, by the way, are 31% of all email
>addresses get changed every year:
>http://www.destinationcrm.com/articles/default.asp?ArticleID=2578&TopicID=2

Wow, I'm surprised that anyone bothered to find that out.  Of course, a
customer relations group would be interested.  If I've read this right,
this means that 69% of email addresses last longer than a year.  That makes
a one year expiration sound better.

>I suspect you will find that your "repeat business" drops off
>dramatically unless a mail client is going to automate this
>every-3-months stuff.

The idea, eventually, is for it all to be automated.
- -- 
Kyle Hasselbacher
kyle@toehold.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9858o10sofiqUxIQRAtbgAJ9b2z2wJj1FoXtKn2oIVb+gwUnF/QCgtwKH
sk9smfcab2Q2EbzpemqW0vI=
=X5MM
-----END PGP SIGNATURE-----