On Thu, Jul 08, 1999 at 11:39:48PM -0700, Jon Callas wrote:
[...]
I think you have a good point, but I also disagree at least a little.
One of the things that I'd like to see software do operationally is
something I call "rolling validity." I'd like to see keys have a relatively
short life that keeps getting pushed out, by being re-validated.
Me too. I did not detail this in my previous message, but IMO the way
to go is to use short validity periods on your encryption keys (so
that if you let them expire, no-one will send you mail encrypted to
those keys any more; an additional advantage is that you can change
the cipher preferences etc. if you switch to newer software versions)
and a longer validity period for the signing key. Also your signing
key could use a long _key_ validity period, but short _signature_
validity periods for the self-signatures; then the key validity
period, if defined, should be used by others who certify that key.
A signing key is really invalid only when publishing its secret part
cannot break anything (not that I recommend doing so ...).
[...] today my OpenPGP software tells me that come August 1, my self-sig
will expire.
The self-signature! Not the whole key, unless you don't re-validate.
For this, a signature validity period should be used, not a key
validity period.