Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

["Michał Górny" <mgorny@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1766 bytes --]

W dniu pią, 06.07.2018 o godzinie 13∶34 +0200, użytkownik Ulrich Mueller
napisał:
> > > > > > On Fri, 6 Jul 2018, Marc Schiffbauer wrote:
> > * Michał Górny schrieb am 06.07.18 um 11:33 Uhr:
> > > If you don't see it for 5 years, how can you be sure that it is
> > > even still there?
> > Are you serious? Who tells you that I do not check from time to
> > time?
> > I am sure there will always be some scenario which makes a key
> > unacessible in some way. I do not disagree with that. Its a matter
> > of propability.
> > And for the worst case there is a revoke-Certificate which can be
> > used.
> 
> Note that the revocation certificate is still listed under
> recommendations only, so devs need not create one. Making this a
> requirement would be a real improvement, IMHO.

How are you going to enforce it?  I didn't make it a requirement because
we simply can't verify it being met.

> Instead, the GLEP draft is focusing on short expiration times.
> It won't help much if your compromised key will expire within one
> year, but you cannot revoke it.

You're conflating two unrelated concepts.  Expiration is not meant to
replace revocation, or in any way amend it.  Expiration is meant to
cover the case of both the key and the revocation certificate being
destroyed or otherwise becoming inaccessible.

> 
> Suggestions:
> - Change the minimum requirement for key expiry to at most 3 years
>   (which is what in version 1 is recommended).
> - Recommend at most 15 months of key expiry, to be renewed at least
>   2 weeks before the expiry date.
> - Make creation of a revocation certificate (and storing it in a place
>   separate from the key) mandatory.
> 
> Ulrich

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]