Connected: An Internet Encyclopedia
7.4 Key Lifetimes

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 7. Operational Considerations
Prev: 7.3 Key Generation
Next: 7.5 Signature Lifetime

7.4 Key Lifetimes

7.4 Key Lifetimes

No key should be used forever. The longer a key is in use, the greater the probability that it will have been compromised through carelessness, accident, espionage, or cryptanalysis. Furthermore, if key rollover is a rare event, there is an increased risk that, when the time does come up change the key, no one at the site will remember how to do it or other problems will have developed in the procedures.

While key lifetime is a matter of local policy, these considerations suggest that no zone key should have a lifetime significantly over four years. A reasonable maximum lifetime for zone keys that are kept off-line and carefully guarded is 13 months with the intent that they be replaced every year. A reasonable maximum lifetime for end entity and useer keys that are used for IP-security or the like and are kept on line is 36 days with the intent that they be replaced monthly or more often. In some cases, an entity key lifetime of somewhat over a day may be reasonable.


Next: 7.5 Signature Lifetime

Connected: An Internet Encyclopedia
7.4 Key Lifetimes