Lost passphrase
Mark H. Wood
mwood at IUPUI.Edu
Wed Apr 18 15:39:39 CEST 2007
On Tue, Apr 17, 2007 at 11:59:01PM -0500, Robert J. Hansen wrote:
> > I have read what everybody has said on the subject and one
> > thing needs to be said again. THE DEFAULT EXPIRE FOR A NEW
> > KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION!
>
> That's making some really big assumptions about the security policy
> of the person making the key.
>
> There are also a lot of perfectly good alternatives which should
> perhaps be excluded first.
A good point. But it applies equally to any other lifetime, including
the current default. What this suggests to me is that the end user
drops out of the equation, because from the POV of the abstract
"typical user" no value that the developers choose is any more
supportable than any other.
This frees the developers to ask another question: "what value would
be good for the product's reputation?" A moderate one (1-2 years)
seems like a reasonable answer, since it provides some protection to
the user who has no policy or omits to apply it, but isn't
tremendously burdensome. Still, some thought and discussion would be
good. Is there any science to support certain ranges of values in
certain applications?
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070418/f9dd2ea4/attachment-0001.pgp
More information about the Gnupg-users
mailing list