I think the take on key lifetime is premature which taking into consideration

1. How key is used

2. Whats the threat vector

3. Cost of key rotation

4. Cost of key verification

At the end of the day its a trade off, the business use case, your expertise and the risk have to be evaluated together