Validity period of GPG-keys
Adrian 'Dagurashibanipal' von Bidder
Tue May 27 17:32:07 2003
Content-Description: signed data
On Tuesday 27 May 2003 10:17, Jan Dirnberger wrote:
> I'm working on a school project, including Public Key Infrastrucure (PKI).
> We are instructed to get out how long the validity period of a GPG-key
> should be set in a company or other organisations the info-material we
> collect is for in.
> First I wanted to advise a unrestricted validity, but then I remembered
> that organisations or enterprises might have often changing memebers. So
> I'm caught between the devil and the deep blue sea what to advise...
I guess as both long and short validity periods have their (dis)advantages,=
guess it boils down to what you like more.
As you're targetting a corporate/institutional environment, where enforced=
trust like this is relatively easy to get: have you thought about the compa=
having the right to revoke keys of its members? Either by having revocation=
certificates of all keys stored, or (probably better, but afaik you break=20
backward compatibility with older PGP/GPG versions) by having a corporate k=
as designated revoker for all keys of the members.
A different possibility is of course to give the keys a long validity, but=
limit the signature from the company key(s) to something like 1 or 2 years.
pub 1024D/92082481 2002-02-22 Adrian von Bidder <firstname.lastname@example.org>
Key fingerprint =3D EFE3 96F4 18F5 8D65 8494 28FC 1438 5168 9208 2481
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab