FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 03-25-2011, 08:47 AM
Thomas Kahle
 
Default validity of manifest signing key

Hi,

it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
the validity should be <6 month. What is the protocol when the expiry
date is approaching?

-) Extend expiry date and upload again?
-) Create new key (and sign with ?? ) ?

Cheers,
Thomas

--
Thomas Kahle
http://dev.gentoo.org/~tomka/
 
Old 03-25-2011, 08:47 AM
Thomas Kahle
 
Default validity of manifest signing key

Hi,

it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
the validity should be <6 month. What is the protocol when the expiry
date is approaching?

-) Extend expiry date and upload again?
-) Create new key (and sign with ?? ) ?

Cheers,
Thomas

--
Thomas Kahle
http://dev.gentoo.org/~tomka/
 
Old 03-25-2011, 08:55 AM
Antoni Grzymala
 
Default validity of manifest signing key

Thomas Kahle dixit (2011-03-25, 10:47):

> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?

“After size comes the expiration date. Here smaller is better, but most
users can go for a key that never expires or to something like 2 or 3 years.”

Can't find anything about <6 months.

--
[a]
 
Old 03-25-2011, 09:18 AM
Christoph Mende
 
Default validity of manifest signing key

On Fri, 2011-03-25 at 10:55 +0100, Antoni Grzymala wrote:
> Thomas Kahle dixit (2011-03-25, 10:47):
>
> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> > the validity should be <6 month. What is the protocol when the expiry
> > date is approaching?
>
> “After size comes the expiration date. Here smaller is better, but most
> users can go for a key that never expires or to something like 2 or 3 years.”
>
> Can't find anything about <6 months.
>

He prolly wanted to post
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6
 
Old 03-25-2011, 10:35 AM
Dane Smith
 
Default validity of manifest signing key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/25/2011 05:47 AM, Thomas Kahle wrote:
> Hi,
>
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?
>
> -) Extend expiry date and upload again?
> -) Create new key (and sign with ?? ) ?
>
> Cheers,
> Thomas
>

Traditionally you start using your new key the day your old key expires.

Having said that, <6 months seems a little paranoid, even by my
standards. (And I'm a professional paranoid) I'd say for a developer, ~
1 year is more than adequate.

- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNjH4PAAoJEEsurZwMLhUxeKIQAIhZr9Q4cV QtD5Ru9tgral8z
bmdhFUrOEKo61H9/3KTgy8KowSNDm0UK+IoPEN/n8q/qMsu/0Ni0NHIJGZE6Lrbw
zxp4RpAQ8KQhWKXLppTVqedXLBChX5v6wGQJXlpd8xFg/drKTPo9U/r+W2F9Zs8n
bLmSzYnJqwd1NYBqBx4F4Vgdq2RO2iqugPMc8igNGvARjJirwc oJ32tqVq64rGke
NYrnjBaYV0EiexpS4crQRX3Ggf29CVgGlWnKKLLD5Nql3wmgT5 P9DZASE0K2Pj5f
rmjjzNwq12YJN4UkJanbE+5c1Vd5FPk+k2RLMuLrQr8j8jUn/DzrY8NU3F5ioHV2
kvS/4W5uJ3h9xQYG5RzNek9ydYn3Be2T5+nXxZQJmaGZO56qeh1CRQ SMRh6LI7Ys
/2KkIVsskJHt0IV+NSnc0KmleZbmWfXP1GkexZNDrswHTJ4HuTK uPYHxsIX8gvqO
zqPY+UxlQrj5esRUD1VBKbsi+J88zaT931sgHmeyLM55kBoA8z lZ6ZCI9PkzbfFg
fL74+qVn7hsVgFvI8C8PSCBpoCpxC6wNnJIG5Uz+NiZouEUB3i 8W0HqqB1YI+67L
Pbbtc9/EREv1HQwDgM870ReYM1Fa/+qnl7TwcbhilkgzkSjXUjqinzuuwyGYw6ad
C3J0KAcCRr1XfjJQaY5k
=a5EG
-----END PGP SIGNATURE-----
 
Old 03-25-2011, 01:46 PM
Michał Górny
 
Default validity of manifest signing key

On Fri, 25 Mar 2011 10:47:19 +0100
Thomas Kahle <tomka@gentoo.org> wrote:

> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> that the validity should be <6 month. What is the protocol when the
> expiry date is approaching?

I'd say that should be changed. With keys changing every half a year,
we're soon going to have a tree spammed with Manifests signed using
expired keys.

--
Best regards,
Michał Górny
 
Old 03-25-2011, 01:46 PM
Michał Górny
 
Default validity of manifest signing key

On Fri, 25 Mar 2011 10:47:19 +0100
Thomas Kahle <tomka@gentoo.org> wrote:

> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> that the validity should be <6 month. What is the protocol when the
> expiry date is approaching?

I'd say that should be changed. With keys changing every half a year,
we're soon going to have a tree spammed with Manifests signed using
expired keys.

--
Best regards,
Michał Górny
 
Old 03-25-2011, 01:53 PM
"Andreas K. Huettel"
 
Default validity of manifest signing key

> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> > that the validity should be <6 month. What is the protocol when the
> > expiry date is approaching?
>
> I'd say that should be changed. With keys changing every half a year,
> we're soon going to have a tree spammed with Manifests signed using
> expired keys.

Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).

--
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfridge@gentoo.org
http://www.akhuettel.de/
 
Old 03-25-2011, 03:35 PM
"Robin H. Johnson"
 
Default validity of manifest signing key

On Fri, Mar 25, 2011 at 10:47:19AM +0100, Thomas Kahle wrote:
> Hi,
>
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month. What is the protocol when the expiry
> date is approaching?
>
> -) Extend expiry date and upload again?
Extend it and make sure you upload.

Also, I propose we change the suggested validity time to 1 or 2 years,
due to the implications on key-signing (certifications):
Specifically, GPG/PGP as a protocol, requires that your certification
expires on or before the key at the time of signing the key.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 03-25-2011, 05:58 PM
Mike Frysinger
 
Default validity of manifest signing key

On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote:
>> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
>> > that the validity should be <6 month. *What is the protocol when the
>> > expiry date is approaching?
>>
>> I'd say that should be changed. With keys changing every half a year,
>> we're soon going to have a tree spammed with Manifests signed using
>> expired keys.
>
> Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).

it does not. the only thing that matters when checking signatures is
that the key was valid *when the signature was made*. the fact that
you're checking the signature years after the key expired is
irrelevant.
-mike
 

Thread Tools




All times are GMT. The time now is 05:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org