Recommended key size for life long key

Larry Brower ivangrunt09 at
Sun Sep 1 21:51:25 CEST 2013

On 09/01/2013 02:45 PM, Johan Wevers wrote:

> Why? What's the advantage of that? I replace keys after I they have a
> chance of being compromised, but not before. Same for my mail domain - I
> created a ssh certificate that is valid for 50 years (unlimited was not
> an option) and I'll replace it whan I fear intrusions or crypto
> breakthroughs make it unsecure. Not before.

The longer a key is in use the greater the chance of compromise. Just
because you believe it has not been compromised doesn't make it so. By
regenerating keys every so often you drastically lessen the chances of a
key being compromised or of a possible compromise having as much effect
on you. There is a reason things like IPSEC keys are renegotiated after
so many minutes or after so many bytes are transmitted. :)


Larry Brower, CCNA

Fedora Ambassador - North America
Fedora Quality Assurance
lbrower at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x0806CF8B.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: not available
URL: </pipermail/attachments/20130901/ed87649b/attachment-0001.key>

More information about the Gnupg-users mailing list