Validity period of GPG-keys

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue May 27 17:32:07 2003 

--Boundary-02=_YV40+wF3ZKnYqKr
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 27 May 2003 10:17, Jan Dirnberger wrote:
> Hi!
>
> I'm working on a school project, including Public Key Infrastrucure (PKI).
> We are instructed to get out how long the validity period of a GPG-key
> should be set in a company or other organisations the info-material we
> collect is for in.
>
> First I wanted to advise a unrestricted validity, but then I remembered
> that organisations or enterprises might have often changing memebers. So
> I'm caught between the devil and the deep blue sea what to advise...

I guess as both long and short validity periods have their (dis)advantages,=
 I=20
guess it boils down to what you like more.

As you're targetting a corporate/institutional environment, where enforced=
=20
trust like this is relatively easy to get: have you thought about the compa=
ny=20
having the right to revoke keys of its members? Either by having revocation=
=20
certificates of all keys stored, or (probably better, but afaik you break=20
backward compatibility with older PGP/GPG versions) by having a corporate k=
ey=20
as designated revoker for all keys of the members.

A different possibility is of course to give the keys a long validity, but=
=20
limit the signature from the company key(s) to something like 1 or 2 years.

greets
=2D- vbi

=2D-=20
pub  1024D/92082481 2002-02-22 Adrian von Bidder <avbidder@fortytwo.ch>
     Key fingerprint =3D EFE3 96F4 18F5 8D65 8494  28FC 1438 5168 9208 2481

--Boundary-02=_YV40+wF3ZKnYqKr
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj7ThVhgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi
YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWewYAoMg3/imJ9QoEPnJ6+zSzubT6
xVefAKCDDef/UotjK3KOPZ9BVszsG2k8uQ==
=tWn4
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab

--Boundary-02=_YV40+wF3ZKnYqKr--