Validity period of GPG-keys

Adrian 'Dagurashibanipal' von Bidder
Tue May 27 17:32:07 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 27 May 2003 10:17, Jan Dirnberger wrote:
> Hi!
> I'm working on a school project, including Public Key Infrastrucure (PKI).
> We are instructed to get out how long the validity period of a GPG-key
> should be set in a company or other organisations the info-material we
> collect is for in.
> First I wanted to advise a unrestricted validity, but then I remembered
> that organisations or enterprises might have often changing memebers. So
> I'm caught between the devil and the deep blue sea what to advise...

I guess as both long and short validity periods have their (dis)advantages,=
guess it boils down to what you like more.

As you're targetting a corporate/institutional environment, where enforced=
trust like this is relatively easy to get: have you thought about the compa=
having the right to revoke keys of its members? Either by having revocation=
certificates of all keys stored, or (probably better, but afaik you break=20
backward compatibility with older PGP/GPG versions) by having a corporate k=
as designated revoker for all keys of the members.

A different possibility is of course to give the keys a long validity, but=
limit the signature from the company key(s) to something like 1 or 2 years.

=2D- vbi

pub  1024D/92082481 2002-02-22 Adrian von Bidder <>
     Key fingerprint =3D EFE3 96F4 18F5 8D65 8494  28FC 1438 5168 9208 2481

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: