On Tue, Apr 17, 2007 at 11:59:01PM -0500, Robert J. Hansen wrote: > > I have read what everybody has said on the subject and one > > thing needs to be said again. THE DEFAULT EXPIRE FOR A NEW > > KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION! > > That's making some really big assumptions about the security policy > of the person making the key. > > There are also a lot of perfectly good alternatives which should > perhaps be excluded first.
A good point. But it applies equally to any other lifetime, including the current default. What this suggests to me is that the end user drops out of the equation, because from the POV of the abstract "typical user" no value that the developers choose is any more supportable than any other. This frees the developers to ask another question: "what value would be good for the product's reputation?" A moderate one (1-2 years) seems like a reasonable answer, since it provides some protection to the user who has no policy or omits to apply it, but isn't tremendously burdensome. Still, some thought and discussion would be good. Is there any science to support certain ranges of values in certain applications? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
pgpaaIOjnTZNd.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
