From 77935f1b9842b63b90b6c292bd6866800503a3a8 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Tue, 23 Apr 2024 23:37:52 +0200
Subject: [PATCH] Signatures

- addresses parts of oasis-tcs/csaf#678
- add FAQ on signing
---
 csaf_2.0/guidance/faq.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csaf_2.0/guidance/faq.md b/csaf_2.0/guidance/faq.md
index 105efa31..1749f429 100644
--- a/csaf_2.0/guidance/faq.md
+++ b/csaf_2.0/guidance/faq.md
@@ -48,6 +48,10 @@ Starting with version CSAF 2.1, [CSAF will support TLP v2](https://github.com/oa
 
 CSAF lister and CSAF aggregator choose on their own which producing parties they add to their lists. Please reach out to the CSAF lister or CSAF aggregator in question. Their contact details are available in the metadata of the list.
 
+### How long should signatures of CSAF documents be valid?
+
+At any given point in time, signatures MUST be valid for 30 more days and SHOULD be valid for at least 90 more days. When signing CSAF documents, the signing party SHOULD comply with or exceed current best practices and guidance on key length.
+
 ### I want to use a Content Delivery Network (CDN) to distribute CSAF files. What do I need to consider?
 
 Please see our advise on [CDNs](./cdn.md).