Vendors should always have 2 keys. One key is set to never expire and is only used for the purpose of verifying the transition of keys. The 2nd is one which should have an expiry date although not neccersary. This ensures if one of the keys are missing, then the vendor can still be positively identified. Of course, a vendor should always keep several encrypted backups of their PGP keys and for example, bury some, keep some in a hard to reach public place (tied to a tree branch 20ft up maybe?), in a double MBB under the substrate of a fish tank, in the internal walls of the house behind plug sockets for example (keep a safe distance between them to prevent possible EMFs) etc.