I have a question about managing PGP keys.
One of my trading partners, who will remain nameless to protect them, has been using the same key for a number of years and every year, they EDIT the key to change the expiration date instead of generating a new key.
I personally would prefer a new key instead of just editing the key expiration date.
I know they are just editing the expiration date because the PGP Key ID never changes.
I'm posting this to see if there is actually in fact a risk to using the same key. I believe that there is. I just need some confirmation or correction, if I am incorrect.
I've done some research, but I have not found anything that explicitly states that the date shouldn't be changed, but should instead be generated as a new key which will result in a new key ID.
I'm looking for any documentation or facts to support the theory that keys should be generated new instead of reused over a long period of time.