AW: Robot CA at

Kyle Hasselbacher
Sun Dec 8 20:35:01 2002

Hash: SHA1

On Sun, Dec 08, 2002 at 07:04:04AM -0500, David Shaw wrote:
>On Sat, Dec 07, 2002 at 04:53:36PM -0600, Kyle Hasselbacher wrote:

>> I may be off my rocker, but I've been thinking "3 months" for expiration.
>> I wonder if I'm crazy since every other suggestion I hear is longer.  Does
>> anyone have evidence beyond the personal anecdotal about the lifetime of
>> the average email address?
>Well, it almost doesn't matter.  This detail isn't really so much a
>matter of security as a matter of sanity.  Remember that every time
>you sign a key, you add a new signature packet - and the old one stays
>around as well.  If you are signing (and then re-signing) a key every
>3 months, pretty soon the key will be huge and covered in your

Tangent:  why don't OpenPGP implementations discard expired data?  I can
understand holding a revoked key so you don't reimport it as unrevoked, but
stuff that's expired is just useless, useless, useless.  Or am I missing
something?  Are we worried that my clock is wrong?

>The numbers you were looking for, by the way, are 31% of all email
>addresses get changed every year:

Wow, I'm surprised that anyone bothered to find that out.  Of course, a
customer relations group would be interested.  If I've read this right,
this means that 69% of email addresses last longer than a year.  That makes
a one year expiration sound better.

>I suspect you will find that your "repeat business" drops off
>dramatically unless a mail client is going to automate this
>every-3-months stuff.

The idea, eventually, is for it all to be automated.
- -- 
Kyle Hasselbacher
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see