it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
the validity should be <6 month. What is the protocol when the expiry
date is approaching?
-) Extend expiry date and upload again?
-) Create new key (and sign with ?? ) ?
Cheers,
Thomas
--
Thomas Kahle
http://dev.gentoo.org/~tomka/
03-25-2011, 08:47 AM
Thomas Kahle
validity of manifest signing key
Hi,
it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
the validity should be <6 month. What is the protocol when the expiry
date is approaching?
-) Extend expiry date and upload again?
-) Create new key (and sign with ?? ) ?
Cheers,
Thomas
--
Thomas Kahle
http://dev.gentoo.org/~tomka/
03-25-2011, 08:55 AM
Antoni Grzymala
validity of manifest signing key
Thomas Kahle dixit (2011-03-25, 10:47):
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?
“After size comes the expiration date. Here smaller is better, but most
users can go for a key that never expires or to something like 2 or 3 years.”
Can't find anything about <6 months.
--
[a]
03-25-2011, 09:18 AM
Christoph Mende
validity of manifest signing key
On Fri, 2011-03-25 at 10:55 +0100, Antoni Grzymala wrote:
> Thomas Kahle dixit (2011-03-25, 10:47):
>
> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> > the validity should be <6 month. What is the protocol when the expiry
> > date is approaching?
>
> “After size comes the expiration date. Here smaller is better, but most
> users can go for a key that never expires or to something like 2 or 3 years.”
>
> Can't find anything about <6 months.
>
He prolly wanted to post
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6
03-25-2011, 10:35 AM
Dane Smith
validity of manifest signing key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2011 05:47 AM, Thomas Kahle wrote:
> Hi,
>
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?
>
> -) Extend expiry date and upload again?
> -) Create new key (and sign with ?? ) ?
>
> Cheers,
> Thomas
>
Traditionally you start using your new key the day your old key expires.
Having said that, <6 months seems a little paranoid, even by my
standards. (And I'm a professional paranoid) I'd say for a developer, ~
1 year is more than adequate.
- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Fri, 25 Mar 2011 10:47:19 +0100
Thomas Kahle <tomka@gentoo.org> wrote:
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> that the validity should be <6 month. What is the protocol when the
> expiry date is approaching?
I'd say that should be changed. With keys changing every half a year,
we're soon going to have a tree spammed with Manifests signed using
expired keys.
--
Best regards,
Michał Górny
03-25-2011, 01:46 PM
Michał Górny
validity of manifest signing key
On Fri, 25 Mar 2011 10:47:19 +0100
Thomas Kahle <tomka@gentoo.org> wrote:
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> that the validity should be <6 month. What is the protocol when the
> expiry date is approaching?
I'd say that should be changed. With keys changing every half a year,
we're soon going to have a tree spammed with Manifests signed using
expired keys.
--
Best regards,
Michał Górny
03-25-2011, 01:53 PM
"Andreas K. Huettel"
validity of manifest signing key
> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> > that the validity should be <6 month. What is the protocol when the
> > expiry date is approaching?
>
> I'd say that should be changed. With keys changing every half a year,
> we're soon going to have a tree spammed with Manifests signed using
> expired keys.
Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).
--
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfridge@gentoo.org
http://www.akhuettel.de/
03-25-2011, 03:35 PM
"Robin H. Johnson"
validity of manifest signing key
On Fri, Mar 25, 2011 at 10:47:19AM +0100, Thomas Kahle wrote:
> Hi,
>
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?
>
> -) Extend expiry date and upload again?
Extend it and make sure you upload.
Also, I propose we change the suggested validity time to 1 or 2 years,
due to the implications on key-signing (certifications):
Specifically, GPG/PGP as a protocol, requires that your certification
expires on or before the key at the time of signing the key.
--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
03-25-2011, 05:58 PM
Mike Frysinger
validity of manifest signing key
On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote:
>> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
>> > that the validity should be <6 month. *What is the protocol when the
>> > expiry date is approaching?
>>
>> I'd say that should be changed. With keys changing every half a year,
>> we're soon going to have a tree spammed with Manifests signed using
>> expired keys.
>
> Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).
it does not. the only thing that matters when checking signatures is
that the key was valid *when the signature was made*. the fact that
you're checking the signature years after the key expired is
irrelevant.
-mike
validity of manifest signing key
