[gentoo-dev] validity of manifest signing key

[gentoo-dev] validity of manifest signing key

[Thomas Kahle]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

Hi,

it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
the validity should be <6 month.  What is the protocol when the expiry
date is approaching?

-) Extend expiry date and upload again?
-) Create new key (and sign with ?? ) ?

Cheers,
Thomas

-- 
Thomas Kahle
http://dev.gentoo.org/~tomka/

[-- Attachment #2: Type: application/pgp-signature, Size: 316 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Antoni Grzymala]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

Thomas Kahle dixit (2011-03-25, 10:47):

> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month.  What is the protocol when the expiry
> date is approaching?

“After size comes the expiration date. Here smaller is better, but most
users can go for a key that never expires or to something like 2 or 3 years.”

Can't find anything about <6 months.

-- 
[a]

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Christoph Mende]

On Fri, 2011-03-25 at 10:55 +0100, Antoni Grzymala wrote:
> Thomas Kahle dixit (2011-03-25, 10:47):
> 
> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> > the validity should be <6 month.  What is the protocol when the expiry
> > date is approaching?
> 
> “After size comes the expiration date. Here smaller is better, but most
> users can go for a key that never expires or to something like 2 or 3 years.”
> 
> Can't find anything about <6 months.
> 

He prolly wanted to post
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6

Re: [gentoo-dev] validity of manifest signing key

[justin]

[-- Attachment #1: Type: text/plain, Size: 152 bytes --]

Hi,

I was signing my commits since I am a dev, but I just discovered that I
only do sha1 signing. How do I switch to sha256 signing?


justin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 267 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 342 bytes --]

On Sat, 25 Jun 2011 09:37:55 +0200
justin <jlec@gentoo.org> wrote:

> I was signing my commits since I am a dev, but I just discovered that
> I only do sha1 signing. How do I switch to sha256 signing?

$ grep digest ~/.gnupg/gpg.conf 
personal-digest-preferences sha256,sha512,sha1,ripemd160,md5

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/25/2011 05:47 AM, Thomas Kahle wrote:
> Hi,
> 
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month.  What is the protocol when the expiry
> date is approaching?
> 
> -) Extend expiry date and upload again?
> -) Create new key (and sign with ?? ) ?
> 
> Cheers,
> Thomas
> 

Traditionally you start using your new key the day your old key expires.

Having said that, <6 months seems a little paranoid, even by my
standards. (And I'm a professional paranoid) I'd say for a developer, ~
1 year is more than adequate.

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNjH4PAAoJEEsurZwMLhUxeKIQAIhZr9Q4cVQtD5Ru9tgral8z
bmdhFUrOEKo61H9/3KTgy8KowSNDm0UK+IoPEN/n8q/qMsu/0Ni0NHIJGZE6Lrbw
zxp4RpAQ8KQhWKXLppTVqedXLBChX5v6wGQJXlpd8xFg/drKTPo9U/r+W2F9Zs8n
bLmSzYnJqwd1NYBqBx4F4Vgdq2RO2iqugPMc8igNGvARjJirwcoJ32tqVq64rGke
NYrnjBaYV0EiexpS4crQRX3Ggf29CVgGlWnKKLLD5Nql3wmgT5P9DZASE0K2Pj5f
rmjjzNwq12YJN4UkJanbE+5c1Vd5FPk+k2RLMuLrQr8j8jUn/DzrY8NU3F5ioHV2
kvS/4W5uJ3h9xQYG5RzNek9ydYn3Be2T5+nXxZQJmaGZO56qeh1CRQSMRh6LI7Ys
/2KkIVsskJHt0IV+NSnc0KmleZbmWfXP1GkexZNDrswHTJ4HuTKuPYHxsIX8gvqO
zqPY+UxlQrj5esRUD1VBKbsi+J88zaT931sgHmeyLM55kBoA8zlZ6ZCI9PkzbfFg
fL74+qVn7hsVgFvI8C8PSCBpoCpxC6wNnJIG5Uz+NiZouEUB3i8W0HqqB1YI+67L
Pbbtc9/EREv1HQwDgM870ReYM1Fa/+qnl7TwcbhilkgzkSjXUjqinzuuwyGYw6ad
C3J0KAcCRr1XfjJQaY5k
=a5EG
-----END PGP SIGNATURE-----

Re: [gentoo-dev] validity of manifest signing key

[Marc Schiffbauer]

[-- Attachment #1: Type: text/plain, Size: 784 bytes --]

* Dane Smith schrieb am 25.03.11 um 12:35 Uhr:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/25/2011 05:47 AM, Thomas Kahle wrote:
> > Hi,
> > 
> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> > the validity should be <6 month.  What is the protocol when the expiry
> > date is approaching?
> > 
> > -) Extend expiry date and upload again?
> > -) Create new key (and sign with ?? ) ?
> > 
> > Cheers,
> > Thomas
> > 
> 
> Traditionally you start using your new key the day your old key expires.

Do you really mean a new key? This is not required. You can extend
the validity once you come close the expiry date (or do it after the
key has expired). 

-Marc
-- 
8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134

[-- Attachment #2: Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

On Fri, 25 Mar 2011 10:47:19 +0100
Thomas Kahle <tomka@gentoo.org> wrote:

> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> that the validity should be <6 month.  What is the protocol when the
> expiry date is approaching?

I'd say that should be changed. With keys changing every half a year,
we're soon going to have a tree spammed with Manifests signed using
expired keys.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Andreas K. Huettel]

[-- Attachment #1: Type: Text/Plain, Size: 571 bytes --]

> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
> > that the validity should be <6 month.  What is the protocol when the
> > expiry date is approaching?
> 
> I'd say that should be changed. With keys changing every half a year,
> we're soon going to have a tree spammed with Manifests signed using
> expired keys.

Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).

-- 
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfridge@gentoo.org
http://www.akhuettel.de/

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Mike Frysinger]

On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote:
>> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
>> > that the validity should be <6 month.  What is the protocol when the
>> > expiry date is approaching?
>>
>> I'd say that should be changed. With keys changing every half a year,
>> we're soon going to have a tree spammed with Manifests signed using
>> expired keys.
>
> Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration).

it does not.  the only thing that matters when checking signatures is
that the key was valid *when the signature was made*.  the fact that
you're checking the signature years after the key expired is
irrelevant.
-mike

Re: [gentoo-dev] validity of manifest signing key

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

On Fri, Mar 25, 2011 at 10:47:19AM +0100, Thomas Kahle wrote:
> Hi,
> 
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month.  What is the protocol when the expiry
> date is approaching?
> 
> -) Extend expiry date and upload again?
Extend it and make sure you upload.

Also, I propose we change the suggested validity time to 1 or 2 years,
due to the implications on key-signing (certifications):
Specifically, GPG/PGP as a protocol, requires that your certification
expires on or before the key at the time of signing the key.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-dev] validity of manifest signing key

[Mike Frysinger]

On Fri, Mar 25, 2011 at 12:35 PM, Robin H. Johnson wrote:
> Also, I propose we change the suggested validity time to 1 or 2 years,

sounds reasonable to me.  ive been 1 year for a while anyways as the 6
month one got to be annoying.
-mike

Re: [gentoo-dev] validity of manifest signing key

[Mike Frysinger]

On Fri, Mar 25, 2011 at 5:47 AM, Thomas Kahle wrote:
> it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that
> the validity should be <6 month.  What is the protocol when the expiry
> date is approaching?
>
> -) Extend expiry date and upload again?

i wasnt aware you could extend the expiration date of a key.  that
sort of defeats the purpose of having an expiration date doesnt it ?
then someone could steal your expired key, extend the date, and keep
using it.
-mike

Re: [gentoo-dev] validity of manifest signing key

[Andreas K. Huettel]

[-- Attachment #1: Type: Text/Plain, Size: 853 bytes --]

> > -) Extend expiry date and upload again?
> 
> i wasnt aware you could extend the expiration date of a key.  that
> sort of defeats the purpose of having an expiration date doesnt it ?
> then someone could steal your expired key, extend the date, and keep
> using it.

The expiration date is a property of the self-signature. If you can re-do the self-signature (i.e. you have access to the secret key), you can extend the expiration date. 

If someone steals your expired key, *and* has full access to the secret part- yes, then he can reactivate it.

If you want to permanently disable your key, you should generate a revocation certificate (which is also a signature). AFAIK, there is no way to revoke a revocation.

-- 
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfridge@gentoo.org
http://www.akhuettel.de/

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] validity of manifest signing key

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 789 bytes --]

On 3/25/11 8:00 PM, Mike Frysinger wrote:
> i wasnt aware you could extend the expiration date of a key.  that
> sort of defeats the purpose of having an expiration date doesnt it ?
> then someone could steal your expired key, extend the date, and keep
> using it.

I think that's one more reason for revocation certificates.

By the way, an expiration date that can be extended is still useful. It
can serve as a dead-man switch in case you lose the private key, see
<https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#set-an-expiration-date-if-you-do-not-have-one>.

In other words, an expiration date that can be extended is still safer
than no expiration date at all, and is almost as convenient (transition
to a new key generally is somewhat inconvenient).


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]