From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 651F6138335 for ; Sun, 29 Jul 2018 20:51:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E039BE0966; Sun, 29 Jul 2018 20:51:09 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A5688E0963 for ; Sun, 29 Jul 2018 20:51:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 848CB335CA6 for ; Sun, 29 Jul 2018 20:51:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2943C394 for ; Sun, 29 Jul 2018 20:51:04 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1532894846.4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497.mgorny@gentoo> Subject: [gentoo-commits] data/glep:master commit in: / X-VCS-Repository: data/glep X-VCS-Files: glep-0063.rst X-VCS-Directories: / X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: 4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497 X-VCS-Branch: master Date: Sun, 29 Jul 2018 20:51:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7f2b12de-9acf-43c1-b3b5-b53f3b82c215 X-Archives-Hash: c3305dbb5002e7642bf0def6974f6623 commit: 4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497 Author: Michał Górny gentoo org> AuthorDate: Wed Jul 4 10:03:57 2018 +0000 Commit: Michał Górny gentoo org> CommitDate: Sun Jul 29 20:07:26 2018 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=4c6ee94a glep-0063: Update and unify expiration term Replace the disjoint 'minimum' and 'recommendation' for expiration with a single requirement. Make it 2.5 years with recommended annual renewal to a fixed day of the year (2 years + some grace time for renewal). Also, remove disjoint expiration recommendation for the primary key and subkeys since many developers fail at implementing that anyway. glep-0063.rst | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 7f870bb..9ba778b 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,7 +7,7 @@ Author: Robin H. Johnson , Michał Górny Type: Standards Track Status: Final -Version: 1.1 +Version: 2 Created: 2013-02-18 Last-Modified: 2018-07-07 Post-History: 2013-11-10 @@ -28,6 +28,11 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2 + The distinct minimal and recommended expirations have been replaced + by a single requirement. The rules have been simplified to use + the same maximum time of 900 days for both the primary key and subkeys. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -75,7 +80,8 @@ not be used to commit. c. ECC curve 25519 -4. Key expiry: 5 years maximum +4. Expiration date on key and all subkeys set to no more than 900 days + into the future 5. Upload your key to the SKS keyserver rotation before usage! @@ -132,11 +138,7 @@ their primary key). 2. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiry: - - a. Primary key: 3 years maximum, expiry date renewed annually. - - b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. +3. Key expiration renewed annually to a fixed day of the year 4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes).