Recommendations for handling (multiple) user IDs - personal and company ones

[Branko Majic]

On Fri, 07 Jun 2013 13:22:04 -0700
Doug Barton <dougb at dougbarton.us> wrote:

> I'm not sure where you're getting this "15 years" number.

Up until now I've usually went with short-lived (1-2 years) keys. After
each period I'd simply replace them with completely new ones. Since
this can be a bit cumbersome, I wanted to set-up master key with a bit
longer validity period.

The 15 years felt good enough for me to have a nice longer-living trust
anchor without overdoing it (lots of X.509-based CAs out there have
validity of 20-25 years, but to me it feels a bit too long).

Of course, in case of some serious cryptographic attacks on RSA keys, I
may need to revoke the key long before those 15 years expire.

Truth be told, figuring out the validity of keys/certificates in PKI is
probably one of those things where you have to guess more than anything
else. In general, the way I see it it's a trade-off between convenience
and security (where security is actually very hard to figure out).

Best regards

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20130608/88778adf/attachment.sig>