Best practice for periodic key change?
Werner Koch
wk at gnupg.org
Thu May 5 11:19:30 CEST 2011
On Thu, 5 May 2011 08:52, aheinlein at gmx.com said:
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot of well-known people and institutions,
> which means a considerable effort.
What I do is to prolong the expiration date shortly before the key
expires. Further I use a smartcard to protect the signing key. A
period key change is problematic because it confuses those who want to
verify the signatures.
BTW, the prolongation of the expiration time has showed (by means of a
lot of complaining mails) that many folks don't refresh the key from time
to time with the goal to retrieve revocation certificates.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list