|
|
|
|
|
|
by prepend
1163 days ago
|
|
|
> Signal for example uses ephemeral keys for each message. There’s a big difference between identity keys and session keys. It makes total sense to use lots of throw away keys (this is how tls works) but making a new identity key for every message is madness. There is no empirical evidence for how frequently to rotate your identity keys. A few years ago NIST started recommending never changing passwords unless they are compromised [0]. Identity keys aren’t exactly the same as passwords but I think they are similar. I don’t think anyone quantifies how much of a benefit there is to changing your password nor how frequently to change it. “As frequently as possible” is not useful advice as that could be every minute or never. I need more actionable guidance so I can weigh it against other priorities [0] https://pages.nist.gov/sp800-63-3.html |
|
|
That's not what happens (new identity for each message) and compromise of a Signal identity key has no impact on message security, unlike GPG. Also it's not how all TLS works; it's how TLS works with perfect secrecy ciphers only.
> There is no empirical evidence for how frequently to rotate your identity keys.
Certainly not if you refuse to look for it.
> A few years ago NIST started recommending never changing passwords unless they are compromised
Passwords derive session keys (cookies) which rotate very frequently. You have a lot to learn about computer security, I'm happy to make some reading recommendations if you're sincerely interested.