Best practice for periodic key change?

Werner Koch wk at
Thu May 5 11:19:30 CEST 2011

On Thu,  5 May 2011 08:52, aheinlein at said:

> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot of well-known people and institutions,
> which means a considerable effort.

What I do is to prolong the expiration date shortly before the key
expires.  Further I use a smartcard to protect the signing key.  A
period key change is problematic because it confuses those who want to
verify the signatures.

BTW, the prolongation of the expiration time has showed (by means of a
lot of complaining mails) that many folks don't refresh the key from time
to time with the goal to retrieve revocation certificates.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list