* [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
@ 2018-07-07 5:56 Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate Michał Górny
` (14 more replies)
0 siblings, 15 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Hi,
Here's the next iteration of the GLEP, integrating even more suggestions
from developers. Full text below.
Also, please do not reply to previous versions, as this is making
the discussion really hard to follow.
--
Best regards,
Michał Górny
Michał Górny (14):
glep-0063: Use 'OpenPGP' as appropriate
glep-0063: RSAv4 -> OpenPGP v4 key format
glep-0063: 'Gentoo subkey' → 'Signing subkey'
glep-0063: Root key → primary key
glep-0063: Split out the signing subkey into a separate point
glep-0063: Explain minimal & recommended sections
glep-0063: Change the recommended RSA key size to 2048 bits
glep-0063: Allow ECC curve 25519 keys
glep-0063: Stop recommending DSA subkeys
glep-0063: Update and unify expiration term
glep-0063: Require renewal 2 weeks before expiration
glep-0063: Disallow using DSA keys
glep-0063: Remove whitespace from LDAP field
glep-0063: Remove recommended gpg.conf
glep-0063.rst | 158 ++++++++++++++++++++++++--------------------------
1 file changed, 76 insertions(+), 82 deletions(-)
--
2.18.0
---
GLEP: 63
Title: Gentoo OpenPGP policies
Author: Robin H. Johnson <robbat2@gentoo.org>,
Andreas K. Hüttel <dilfridge@gentoo.org>,
Marissa Fischer <blogtodiffer@gmail.com>,
Michał Górny <mgorny@gentoo.org>
Type: Standards Track
Status: Final
Version: 2
Created: 2013-02-18
Last-Modified: 2018-07-07
Post-History: 2013-11-10
Content-Type: text/x-rst
---
Credits
=======
Many developers and external sources helped in this GLEP.
Abstract
========
This GLEP provides both a minimum requirement and a recommended set of
OpenPGP key management policies for the Gentoo Linux distribution.
Changes
=======
v2
The distinct minimal and recommended expirations have been replaced
by a single requirement. The rules have been simplified to use
the same maximum time of 900 days for both the primary key and subkeys.
An additional rule requesting key renewal 2 weeks before expiration
has been added. This is in order to give services and other developers time
to refresh the key.
The usage of DSA keys has been disallowed.
The ``gpgfingerprint`` LDAP field has been altered to remove optional
whitespace.
The recommended ``gpg.conf`` contents have been removed as they were
seriously outdated and decreased security over the modern defaults.
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
The larger recommendation was unjustified and resulted in people
unnecessarily replacing their RSA-2048 keys.
Minimal specification has been amended to allow for ECC keys.
The option of using DSA subkey has been removed from recommendations.
The section now specifies a single recommendation of using RSA.
Motivation
==========
Given the increasing use and importance of cryptographic protocols in internet
transactions of any kind, unified requirements for OpenPGP keys used in Gentoo
Linux development are sorely needed. This document provides both a set of
bare minimum requirements and a set of best practice recommendations for
the use of GnuPG (or other OpenPGP providers) by Gentoo Linux developers.
It is intended to provide a basis for future improvements such as, e.g.,
consistent ebuild or package signing and verifying by end users.
Specifications for OpenPGP keys
===============================
Bare minimum requirements
-------------------------
This section specifies obligatory requirements for all OpenPGP keys used
to commit to Gentoo. Keys that do not conform to those requirements can
not be used to commit.
1. SHA2-series output digest (SHA1 digests internally permitted),
256bit or more::
personal-digest-preferences SHA256
2. Signing subkey that is different from the primary key, and does not
have any other capabilities enabled.
3. Primary key and the signing subkey are both of type EITHER:
a. RSA, >=2048 bits (OpenPGP v4 key format or later only)
b. ECC curve 25519
4. Expiration date on key and all subkeys set to no more than 900 days
into the future
5. Key expiration date renewed at least 2 weeks before the previous
expiration date.
6. Upload your key to the SKS keyserver rotation before usage!
Recommendations
---------------
This section specifies the best practices for Gentoo developers.
The developers should follow those practices unless there is a strong
technical reason not to (e.g. hardware limitations, necessity of replacing
their primary key).
1. Primary key and the signing subkey are both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
2. Key expiration renewed annually to a fixed day of the year
3. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
4. Encrypted backup of your secret keys.
Gentoo LDAP
===========
All Gentoo developers must list the complete fingerprint for their primary
keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
uppercase, without whitespace.
The prior "``gpgkey``" field will be removed, as it is a subset
of the fingerprint field. In any place that presently displays
the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
be displayed instead.
Backwards Compatibility
=======================
There is no consistent standard for GPG usage in Gentoo to date. There is
conflicting information in the Devmanual [#DEVMANUAL-MANIFEST]_ and the GnuPG
Gentoo user guide [#GNUPG-USER]_. As there is little enforcement of Manifest
signing and very little commit signing to date, there are no backwards
compatibility concerns.
External documentation
======================
Much of the above was driven by the following:
* NIST SP 800-57 recommendations [#NISTSP800571]_, [#NISTSP800572]_
* Debian GPG documentation [#DEBIANGPG]_
* RiseUp.net OpenPGP best practices [#RISEUP]_
* ENISA Algorithms, Key Sizes and Parameters Report 2013 [#ENISA2013]_
References
==========
.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
(https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
.. [#DEBIANGPG] Debian GPG documentation
(https://wiki.debian.org/Keysigning)
.. [#EKAIA] Ana's blog: Creating a new GPG key
(http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/)
.. [#RISEUP] RiseUp.net OpenPGP best practices
(https://help.riseup.net/en/security/message-security/openpgp/best-practices)
.. [#DEVMANUAL-MANIFEST] Gentoo Development Guide: Manifest
(http://devmanual.gentoo.org/general-concepts/manifest/index.html)
.. [#GNUPG-USER] GnuPG Gentoo User Guide
(http://www.gentoo.org/doc/en/gnupg-user.xml)
.. [#NISTSP800571] NIST SP 800-57: Recommendation for Key Management:
Part 1: General (Revision 3)
(http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf)
.. [#NISTSP800572] NIST SP 800-57: Recommendation for Key Management:
Part 2: Best Practices for Key Management Organization
(http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf)
.. [#ISSUER-ANNOTATE] Including the entire fingerprint of the issuer
in an OpenPGP certification
(http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
.. [#ENISA2013] ENISA Algorithms, Key Sizes and Parameters Report,
2013 recommendations, version 1.0 (October 2013)
(https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report)
Copyright
=========
Copyright (c) 2013 by Robin Hugh Johnson, Andreas K. Hüttel, Marissa Fischer,
Michał Górny.
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/.
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 02/14] glep-0063: RSAv4 -> OpenPGP v4 key format Michał Górny
` (13 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Replace many of the incorrect uses of GPG/GnuPG [key] with OpenPGP.
G[nu]PG has been left where the text clearly refers to the specific
implementation of OpenPGP rather than the standard itself.
---
glep-0063.rst | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index c59d545..522a3fd 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -1,14 +1,15 @@
---
GLEP: 63
-Title: Gentoo GPG key policies
+Title: Gentoo OpenPGP policies
Author: Robin H. Johnson <robbat2@gentoo.org>,
Andreas K. Hüttel <dilfridge@gentoo.org>,
- Marissa Fischer <blogtodiffer@gmail.com>
+ Marissa Fischer <blogtodiffer@gmail.com>,
+ Michał Górny <mgorny@gentoo.org>
Type: Standards Track
Status: Final
Version: 1
Created: 2013-02-18
-Last-Modified: 2015-08-25
+Last-Modified: 2018-07-07
Post-History: 2013-11-10
Content-Type: text/x-rst
---
@@ -21,22 +22,22 @@ Many developers and external sources helped in this GLEP.
Abstract
========
-This GLEP provides both a minimum requirement and a recommended set of GPG
-key management policies for the Gentoo Linux distribution.
+This GLEP provides both a minimum requirement and a recommended set of
+OpenPGP key management policies for the Gentoo Linux distribution.
Motivation
==========
Given the increasing use and importance of cryptographic protocols in internet
-transactions of any kind, unified requirements for GnuPG keys used in Gentoo
+transactions of any kind, unified requirements for OpenPGP keys used in Gentoo
Linux development are sorely needed. This document provides both a set of
bare minimum requirements and a set of best practice recommendations for
-the use of GnuPG by Gentoo Linux developers. It is intended to provide
-a basis for future improvements such as, e.g., consistent ebuild or package
-signing and verifying by end users.
+the use of GnuPG (or other OpenPGP providers) by Gentoo Linux developers.
+It is intended to provide a basis for future improvements such as, e.g.,
+consistent ebuild or package signing and verifying by end users.
-Specifications for GnuPG keys
-=============================
+Specifications for OpenPGP keys
+===============================
Bare minimum requirements
-------------------------
@@ -125,7 +126,7 @@ Recommendations
Gentoo LDAP
===========
-All Gentoo developers must list the complete GPG fingerprint for their root
+All Gentoo developers must list the complete fingerprint for their root
keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
uppercase, with optional spaces every 8 hex digits. Regular expression for
validation::
@@ -195,7 +196,8 @@ References
Copyright
=========
-Copyright (c) 2013 by Robin Hugh Johnson, Andreas K. Hüttel, Marissa Fischer.
+Copyright (c) 2013 by Robin Hugh Johnson, Andreas K. Hüttel, Marissa Fischer,
+Michał Górny.
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Unported License. To view a copy of this license, visit
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 02/14] glep-0063: RSAv4 -> OpenPGP v4 key format
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 03/14] glep-0063: 'Gentoo subkey' → 'Signing subkey' Michał Górny
` (12 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Replace the 'RSAv4' with 'OpenPGP v4 key format'. The RSA algorithm
does not really have versions, and the author most likely meant the v4
of OpenPGP key format as outlined in RFC 4880, section 12.1.
This was figured out and explained to me by Kristian Fiskerstrand.
---
glep-0063.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 522a3fd..7af8d09 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -50,7 +50,7 @@ Bare minimum requirements
a. DSA, 2048-bit
- b. RSA, >=2048 bits, RSAv4 or later only
+ b. RSA, >=2048 bits (OpenPGP v4 key format or later only)
3. Key expiry: 5 years maximum
@@ -102,7 +102,7 @@ Recommendations
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
-2. Root key type RSA, 4096 bits, RSAv4 or later
+2. Root key type RSA, 4096 bits (OpenPGP v4 key format or later)
This may require creating an entirely new key.
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 03/14] glep-0063: 'Gentoo subkey' → 'Signing subkey'
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 02/14] glep-0063: RSAv4 -> OpenPGP v4 key format Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 04/14] glep-0063: Root key → primary key Michał Górny
` (11 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Replace the 'Gentoo subkey' term that might wrongly suggest that
the developers are expected to create an additional, dedicated subkey
for Gentoo.
Suggested-by: Kristian Fiskerstrand <k_f@gentoo.org>
---
glep-0063.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 7af8d09..6be2555 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -116,7 +116,7 @@ Recommendations
a. Root key: 3 years maximum, expiry date renewed annually.
- b. Gentoo subkey: 1 year maximum, expiry date renewed every 6 months.
+ b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
5. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 04/14] glep-0063: Root key → primary key
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (2 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 03/14] glep-0063: 'Gentoo subkey' → 'Signing subkey' Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 05/14] glep-0063: Split out the signing subkey into a separate point Michał Górny
` (10 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Replace the custom term 'root key' with much more common 'primary key'.
This is also the term used in GnuPG output.
---
glep-0063.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 6be2555..940612c 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -46,7 +46,7 @@ Bare minimum requirements
personal-digest-preferences SHA256
-2. Root key and signing subkey of EITHER:
+2. Primary key and signing subkey of EITHER:
a. DSA, 2048-bit
@@ -102,7 +102,7 @@ Recommendations
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
-2. Root key type RSA, 4096 bits (OpenPGP v4 key format or later)
+2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later)
This may require creating an entirely new key.
@@ -114,7 +114,7 @@ Recommendations
4. Key expiry:
- a. Root key: 3 years maximum, expiry date renewed annually.
+ a. Primary key: 3 years maximum, expiry date renewed annually.
b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
@@ -126,7 +126,7 @@ Recommendations
Gentoo LDAP
===========
-All Gentoo developers must list the complete fingerprint for their root
+All Gentoo developers must list the complete fingerprint for their primary
keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
uppercase, with optional spaces every 8 hex digits. Regular expression for
validation::
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 05/14] glep-0063: Split out the signing subkey into a separate point
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (3 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 04/14] glep-0063: Root key → primary key Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 06/14] glep-0063: Explain minimal & recommended sections Michał Górny
` (9 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Reword the specification to express the requirement for separate signing
subkey more verbosely. Replace the ambiguous term 'dedicated' with
clear explanation that it needs to be different from the primary key
and not used for other purposes.
Suggested-by: Kristian Fiskerstrand <k_f@gentoo.org>
---
glep-0063.rst | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 940612c..05e5e9d 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -46,15 +46,18 @@ Bare minimum requirements
personal-digest-preferences SHA256
-2. Primary key and signing subkey of EITHER:
+2. Signing subkey that is different from the primary key, and does not
+ have any other capabilities enabled.
+
+3. Primary key and the signing subkey are both of type EITHER:
a. DSA, 2048-bit
b. RSA, >=2048 bits (OpenPGP v4 key format or later only)
-3. Key expiry: 5 years maximum
+4. Key expiry: 5 years maximum
-4. Upload your key to the SKS keyserver rotation before usage!
+5. Upload your key to the SKS keyserver rotation before usage!
Recommendations
---------------
@@ -106,7 +109,7 @@ Recommendations
This may require creating an entirely new key.
-3. Dedicated signing subkey of EITHER:
+3. The signing subkey of EITHER:
a. DSA 2048 bits exactly.
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 06/14] glep-0063: Explain minimal & recommended sections
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (4 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 05/14] glep-0063: Split out the signing subkey into a separate point Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 07/14] glep-0063: Change the recommended RSA key size to 2048 bits Michał Górny
` (8 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
---
glep-0063.rst | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/glep-0063.rst b/glep-0063.rst
index 05e5e9d..a93e6ac 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -41,6 +41,10 @@ Specifications for OpenPGP keys
Bare minimum requirements
-------------------------
+This section specifies obligatory requirements for all OpenPGP keys used
+to commit to Gentoo. Keys that do not conform to those requirements can
+not be used to commit.
+
1. SHA2-series output digest (SHA1 digests internally permitted),
256bit or more::
@@ -61,6 +65,10 @@ Bare minimum requirements
Recommendations
---------------
+This section specifies the best practices for Gentoo developers.
+The developers should follow those practices unless there is a strong
+technical reason not to (e.g. hardware limitations, necessity of replacing
+their primary key).
1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append
the following block::
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 07/14] glep-0063: Change the recommended RSA key size to 2048 bits
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (5 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 06/14] glep-0063: Explain minimal & recommended sections Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 08/14] glep-0063: Allow ECC curve 25519 keys Michał Górny
` (7 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Change the recommended key size recommendation for RSA from 4096 bits
to 2048 bits. Use of larger keys is unjustified due to negligible gain
in security, and recommending RSA-4096 unnecessarily resulted
in developers replacing their RSA-2048 keys for no good reason.
---
glep-0063.rst | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index a93e6ac..b2e6679 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
Michał Górny <mgorny@gentoo.org>
Type: Standards Track
Status: Final
-Version: 1
+Version: 1.1
Created: 2013-02-18
Last-Modified: 2018-07-07
Post-History: 2013-11-10
@@ -25,6 +25,15 @@ Abstract
This GLEP provides both a minimum requirement and a recommended set of
OpenPGP key management policies for the Gentoo Linux distribution.
+Changes
+=======
+
+v1.1
+ The recommended RSA key size has been changed from 4096 bits
+ to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
+ The larger recommendation was unjustified and resulted in people
+ unnecessarily replacing their RSA-2048 keys.
+
Motivation
==========
@@ -113,15 +122,13 @@ their primary key).
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
-2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later)
-
- This may require creating an entirely new key.
+2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later)
3. The signing subkey of EITHER:
a. DSA 2048 bits exactly.
- b. RSA 4096 bits exactly.
+ b. RSA 2048 bits exactly.
4. Key expiry:
@@ -174,6 +181,9 @@ Much of the above was driven by the following:
References
==========
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
+ (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
+
.. [#DEBIANGPG] Debian GPG documentation
(https://wiki.debian.org/Keysigning)
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 08/14] glep-0063: Allow ECC curve 25519 keys
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (6 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 07/14] glep-0063: Change the recommended RSA key size to 2048 bits Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 09/14] glep-0063: Stop recommending DSA subkeys Michał Górny
` (6 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Optionally allow using ECC curve 25519 keys. We already have
developers using those keys, and given that they are supported
by GnuPG 2.2, there's probably no reason to ban them. However, they're
not recommended due to interoperability issues.
---
glep-0063.rst | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/glep-0063.rst b/glep-0063.rst
index b2e6679..472e540 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -34,6 +34,8 @@ v1.1
The larger recommendation was unjustified and resulted in people
unnecessarily replacing their RSA-2048 keys.
+ Minimal specification has been amended to allow for ECC keys.
+
Motivation
==========
@@ -68,6 +70,8 @@ not be used to commit.
b. RSA, >=2048 bits (OpenPGP v4 key format or later only)
+ c. ECC curve 25519
+
4. Key expiry: 5 years maximum
5. Upload your key to the SKS keyserver rotation before usage!
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 09/14] glep-0063: Stop recommending DSA subkeys
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (7 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 08/14] glep-0063: Allow ECC curve 25519 keys Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 10/14] glep-0063: Update and unify expiration term Michał Górny
` (5 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
There is really no technical reason to use DSA these days, and we should
focus on having a single recommendation. DSA keys are still permitted
via 'minimal' requirements.
---
glep-0063.rst | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 472e540..87ea71e 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -36,6 +36,9 @@ v1.1
Minimal specification has been amended to allow for ECC keys.
+ The option of using DSA subkey has been removed from recommendations.
+ The section now specifies a single recommendation of using RSA.
+
Motivation
==========
@@ -126,24 +129,19 @@ their primary key).
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
-2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later)
-
-3. The signing subkey of EITHER:
-
- a. DSA 2048 bits exactly.
-
- b. RSA 2048 bits exactly.
+2. Primary key and the signing subkey are both of type RSA, 2048 bits
+ (OpenPGP v4 key format or later)
-4. Key expiry:
+3. Key expiry:
a. Primary key: 3 years maximum, expiry date renewed annually.
b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
-5. Create a revocation certificate & store it hardcopy offsite securely
+4. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
-6. Encrypted backup of your secret keys.
+5. Encrypted backup of your secret keys.
Gentoo LDAP
===========
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 10/14] glep-0063: Update and unify expiration term
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (8 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 09/14] glep-0063: Stop recommending DSA subkeys Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 11/14] glep-0063: Require renewal 2 weeks before expiration Michał Górny
` (4 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Replace the disjoint 'minimum' and 'recommendation' for expiration with
a single requirement. Make it 2.5 years with recommended annual renewal
to a fixed day of the year (2 years + some grace time for renewal).
Also, remove disjoint expiration recommendation for the primary key
and subkeys since many developers fail at implementing that anyway.
---
glep-0063.rst | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 87ea71e..7bfbaa6 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
Michał Górny <mgorny@gentoo.org>
Type: Standards Track
Status: Final
-Version: 1.1
+Version: 2
Created: 2013-02-18
Last-Modified: 2018-07-07
Post-History: 2013-11-10
@@ -28,6 +28,11 @@ OpenPGP key management policies for the Gentoo Linux distribution.
Changes
=======
+v2
+ The distinct minimal and recommended expirations have been replaced
+ by a single requirement. The rules have been simplified to use
+ the same maximum time of 900 days for both the primary key and subkeys.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -75,7 +80,8 @@ not be used to commit.
c. ECC curve 25519
-4. Key expiry: 5 years maximum
+4. Expiration date on key and all subkeys set to no more than 900 days
+ into the future
5. Upload your key to the SKS keyserver rotation before usage!
@@ -132,11 +138,7 @@ their primary key).
2. Primary key and the signing subkey are both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
-3. Key expiry:
-
- a. Primary key: 3 years maximum, expiry date renewed annually.
-
- b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
+3. Key expiration renewed annually to a fixed day of the year
4. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 11/14] glep-0063: Require renewal 2 weeks before expiration
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (9 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 10/14] glep-0063: Update and unify expiration term Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 12/14] glep-0063: Disallow using DSA keys Michał Górny
` (3 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Add a rule requesting renewal of keys at least two weeks before their
expiration date, in order to give services time to refresh.
---
glep-0063.rst | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 7bfbaa6..9ae9c74 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -33,6 +33,10 @@ v2
by a single requirement. The rules have been simplified to use
the same maximum time of 900 days for both the primary key and subkeys.
+ An additional rule requesting key renewal 2 weeks before expiration
+ has been added. This is in order to give services and other developers time
+ to refresh the key.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -83,7 +87,10 @@ not be used to commit.
4. Expiration date on key and all subkeys set to no more than 900 days
into the future
-5. Upload your key to the SKS keyserver rotation before usage!
+5. Key expiration date renewed at least 2 weeks before the previous
+ expiration date
+
+6. Upload your key to the SKS keyserver rotation before usage!
Recommendations
---------------
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 12/14] glep-0063: Disallow using DSA keys
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (10 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 11/14] glep-0063: Require renewal 2 weeks before expiration Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field Michał Górny
` (2 subsequent siblings)
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
There really is no technical reason to use DSA keys and people who are
still using old DSA keys should finally replace them, so remove them
from the minimal requirements.
---
glep-0063.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 9ae9c74..d4fd953 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -37,6 +37,8 @@ v2
has been added. This is in order to give services and other developers time
to refresh the key.
+ The usage of DSA keys has been disallowed.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -78,11 +80,9 @@ not be used to commit.
3. Primary key and the signing subkey are both of type EITHER:
- a. DSA, 2048-bit
-
- b. RSA, >=2048 bits (OpenPGP v4 key format or later only)
+ a. RSA, >=2048 bits (OpenPGP v4 key format or later only)
- c. ECC curve 25519
+ b. ECC curve 25519
4. Expiration date on key and all subkeys set to no more than 900 days
into the future
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (11 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 12/14] glep-0063: Disallow using DSA keys Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 12:27 ` Ulrich Mueller
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 14/14] glep-0063: Remove recommended gpg.conf Michał Górny
2018-07-07 12:17 ` [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Ulrich Mueller
14 siblings, 1 reply; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Requested-by: Robin H. Johnson <robbat2@gentoo.org>
---
glep-0063.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index d4fd953..0792a5c 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -39,6 +39,9 @@ v2
The usage of DSA keys has been disallowed.
+ The ``gpgfingerprint`` LDAP field has been altered to remove optional
+ whitespace.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -157,10 +160,7 @@ Gentoo LDAP
All Gentoo developers must list the complete fingerprint for their primary
keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
-uppercase, with optional spaces every 8 hex digits. Regular expression for
-validation::
-
- ^([[:space:]]*[[:xdigit:]]{8}){5}$
+uppercase, without whitespace.
The prior "``gpgkey``" field will be removed, as it is a subset
of the fingerprint field. In any place that presently displays
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-dev] [PATCH v4 14/14] glep-0063: Remove recommended gpg.conf
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (12 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field Michał Górny
@ 2018-07-07 5:56 ` Michał Górny
2018-07-07 12:17 ` [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Ulrich Mueller
14 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 5:56 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
Requested-by: Richard Yao <ryao@gentoo.org>
---
glep-0063.rst | 54 +++++++--------------------------------------------
1 file changed, 7 insertions(+), 47 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 0792a5c..b20af61 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -42,6 +42,9 @@ v2
The ``gpgfingerprint`` LDAP field has been altered to remove optional
whitespace.
+ The recommended ``gpg.conf`` contents have been removed as they were
+ seriously outdated and decreased security over the modern defaults.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -102,58 +105,15 @@ The developers should follow those practices unless there is a strong
technical reason not to (e.g. hardware limitations, necessity of replacing
their primary key).
-1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append
- the following block::
-
- keyserver pool.sks-keyservers.net
-
- emit-version
-
- default-recipient-self
-
- # -- All of the below portion from the RiseUp.net OpenPGP best practices, and
- # -- many of them are also in the Debian GPG documentation.
-
- # when outputting certificates, view user IDs distinctly from keys:
- fixed-list-mode
-
- # long keyids are more collision-resistant than short keyids (it's trivial to make a key
- # with any desired short keyid)
- # NOTE: this breaks kmail gnupg support!
- keyid-format 0xlong
-
- # when multiple digests are supported by all recipients, choose the strongest one:
- personal-digest-preferences SHA512 SHA384 SHA256 SHA224
-
- # preferences chosen for new keys should prioritize stronger algorithms:
- default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
-
- # If you use a graphical environment (and even if you don't) you should be using an agent:
- # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
- use-agent
-
- # You should always know at a glance which User IDs gpg thinks are legitimately bound to
- # the keys in your keyring:
- verify-options show-uid-validity
- list-options show-uid-validity
-
- # include an unambiguous indicator of which key made a signature:
- # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
- # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
- sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
-
- # when making an OpenPGP certification, use a stronger digest than the default SHA1:
- cert-digest-algo SHA256
-
-2. Primary key and the signing subkey are both of type RSA, 2048 bits
+1. Primary key and the signing subkey are both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
-3. Key expiration renewed annually to a fixed day of the year
+2. Key expiration renewed annually to a fixed day of the year
-4. Create a revocation certificate & store it hardcopy offsite securely
+3. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
-5. Encrypted backup of your secret keys.
+4. Encrypted backup of your secret keys.
Gentoo LDAP
===========
--
2.18.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
` (13 preceding siblings ...)
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 14/14] glep-0063: Remove recommended gpg.conf Michał Górny
@ 2018-07-07 12:17 ` Ulrich Mueller
2018-07-07 13:11 ` Michał Górny
14 siblings, 1 reply; 22+ messages in thread
From: Ulrich Mueller @ 2018-07-07 12:17 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]
>>>>> On Sat, 7 Jul 2018, Michał Górny wrote:
[Section "Bare minimum requirements"]
> 1. SHA2-series output digest (SHA1 digests internally permitted),
> 256bit or more::
> personal-digest-preferences SHA256
Is the config line still needed with current GnuPG versions?
> 2. Signing subkey that is different from the primary key, and does not
> have any other capabilities enabled.
> 3. Primary key and the signing subkey are both of type EITHER:
> a. RSA, >=2048 bits (OpenPGP v4 key format or later only)
> b. ECC curve 25519
> 4. Expiration date on key and all subkeys set to no more than 900 days
> into the future
s/key/primary key/
Also be consistent with punctuation, i.e., add a full stop at the end
of the sentence.
[Section "Recommendations"]
> 1. Primary key and the signing subkey are both of type RSA, 2048 bits
> (OpenPGP v4 key format or later)
> 2. Key expiration renewed annually to a fixed day of the year
> 3. Create a revocation certificate & store it hardcopy offsite securely
> (it's about ~300 bytes).
Ditto for items 1. to 3. here.
> 4. Encrypted backup of your secret keys.
[...]
> Copyright
> =========
Insert a blank line after the header.
> Copyright (c) 2013 by Robin Hugh Johnson, Andreas K. Hüttel, Marissa Fischer,
> Michał Górny.
Update the date to "2013, 2018" (and rewrap the paragraph).
Ulrich
[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field Michał Górny
@ 2018-07-07 12:27 ` Ulrich Mueller
2018-07-07 13:07 ` Michał Górny
0 siblings, 1 reply; 22+ messages in thread
From: Ulrich Mueller @ 2018-07-07 12:27 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2, Michał Górny
[-- Attachment #1: Type: text/plain, Size: 707 bytes --]
>>>>> On Sat, 7 Jul 2018, Michał Górny wrote:
> All Gentoo developers must list the complete fingerprint for their primary
> keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
> -uppercase, with optional spaces every 8 hex digits. Regular expression for
> -validation::
> -
> - ^([[:space:]]*[[:xdigit:]]{8}){5}$
I don't see a single gpgfingerprint field in LDAP that would match
that old regexp. They're all formatted either without whitespace, or
like this:
0123 4567 89AB CDEF 0123 4567 89AB CDEF 0123 4567
> +uppercase, without whitespace.
Does this imply that all devs must update their LDAP info, or will
infra take care of this?
Ulrich
[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field
2018-07-07 12:27 ` Ulrich Mueller
@ 2018-07-07 13:07 ` Michał Górny
0 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 13:07 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2
[-- Attachment #1: Type: text/plain, Size: 932 bytes --]
W dniu sob, 07.07.2018 o godzinie 14∶27 +0200, użytkownik Ulrich Mueller
napisał:
> > > > > > On Sat, 7 Jul 2018, Michał Górny wrote:
> > All Gentoo developers must list the complete fingerprint for their primary
> > keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
> > -uppercase, with optional spaces every 8 hex digits. Regular expression for
> > -validation::
> > -
> > - ^([[:space:]]*[[:xdigit:]]{8}){5}$
>
> I don't see a single gpgfingerprint field in LDAP that would match
> that old regexp. They're all formatted either without whitespace, or
> like this:
>
> 0123 4567 89AB CDEF 0123 4567 89AB CDEF 0123 4567
>
> > +uppercase, without whitespace.
>
> Does this imply that all devs must update their LDAP info, or will
> infra take care of this?
>
We will mass-update it once we figure out how to do it ;-).
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
2018-07-07 12:17 ` [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Ulrich Mueller
@ 2018-07-07 13:11 ` Michał Górny
2018-07-07 14:20 ` Ulrich Mueller
2018-07-08 13:06 ` Kristian Fiskerstrand
0 siblings, 2 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-07 13:11 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2
[-- Attachment #1: Type: text/plain, Size: 2020 bytes --]
W dniu sob, 07.07.2018 o godzinie 14∶17 +0200, użytkownik Ulrich Mueller
napisał:
> > > > > > On Sat, 7 Jul 2018, Michał Górny wrote:
>
> [Section "Bare minimum requirements"]
>
> > 1. SHA2-series output digest (SHA1 digests internally permitted),
> > 256bit or more::
> > personal-digest-preferences SHA256
>
> Is the config line still needed with current GnuPG versions?
I'll let others answer that. In any case, the point itself (requiring
SHA-2 digest) makes sense. The RiseUp standard requires all self-
signatures to be SHA-2, and I was planning on verifying that as well.
> > 2. Signing subkey that is different from the primary key, and does not
> > have any other capabilities enabled.
> > 3. Primary key and the signing subkey are both of type EITHER:
> > a. RSA, >=2048 bits (OpenPGP v4 key format or later only)
> > b. ECC curve 25519
> > 4. Expiration date on key and all subkeys set to no more than 900 days
> > into the future
>
> s/key/primary key/
>
> Also be consistent with punctuation, i.e., add a full stop at the end
> of the sentence.
Actually, I aimed to fix punctuation on things I've changed
(i.e. no full stop because it's not proper sentence). I suppose I can
update the rest.
>
> [Section "Recommendations"]
>
> > 1. Primary key and the signing subkey are both of type RSA, 2048 bits
> > (OpenPGP v4 key format or later)
> > 2. Key expiration renewed annually to a fixed day of the year
> > 3. Create a revocation certificate & store it hardcopy offsite securely
> > (it's about ~300 bytes).
>
> Ditto for items 1. to 3. here.
>
> > 4. Encrypted backup of your secret keys.
>
> [...]
>
> > Copyright
> > =========
>
> Insert a blank line after the header.
>
> > Copyright (c) 2013 by Robin Hugh Johnson, Andreas K. Hüttel, Marissa Fischer,
> > Michał Górny.
>
> Update the date to "2013, 2018" (and rewrap the paragraph).
>
> Ulrich
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
2018-07-07 13:11 ` Michał Górny
@ 2018-07-07 14:20 ` Ulrich Mueller
2018-07-08 13:06 ` Kristian Fiskerstrand
1 sibling, 0 replies; 22+ messages in thread
From: Ulrich Mueller @ 2018-07-07 14:20 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2
[-- Attachment #1: Type: text/plain, Size: 595 bytes --]
>>>>> On Sat, 07 Jul 2018, Michał Górny wrote:
>> > 1. SHA2-series output digest (SHA1 digests internally permitted),
>> > 256bit or more::
>> > personal-digest-preferences SHA256
>>
>> Is the config line still needed with current GnuPG versions?
> I'll let others answer that. In any case, the point itself (requiring
> SHA-2 digest) makes sense. The RiseUp standard requires all self-
> signatures to be SHA-2, and I was planning on verifying that as well.
To clarify, my comment was not about removal of the whole item, but
only about the config line.
Ulrich
[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
2018-07-07 13:11 ` Michał Górny
2018-07-07 14:20 ` Ulrich Mueller
@ 2018-07-08 13:06 ` Kristian Fiskerstrand
2018-07-08 14:01 ` Michał Górny
1 sibling, 1 reply; 22+ messages in thread
From: Kristian Fiskerstrand @ 2018-07-08 13:06 UTC (permalink / raw
To: gentoo-dev, Michał Górny; +Cc: robbat2
[-- Attachment #1.1: Type: text/plain, Size: 737 bytes --]
On 07/07/2018 03:11 PM, Michał Górny wrote:
>>> 1. SHA2-series output digest (SHA1 digests internally permitted),
>>> 256bit or more::
>>> personal-digest-preferences SHA256
>> Is the config line still needed with current GnuPG versions?
> I'll let others answer that. In any case, the point itself (requiring
> SHA-2 digest) makes sense. The RiseUp standard requires all self-
> signatures to be SHA-2, and I was planning on verifying that as well.
>
no, SHA256 in this context is already default, and it doesn't impact
cert-algo that you seem to go on about.
--
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] [PATCH v4 00/14] GLEP 63 update
2018-07-08 13:06 ` Kristian Fiskerstrand
@ 2018-07-08 14:01 ` Michał Górny
0 siblings, 0 replies; 22+ messages in thread
From: Michał Górny @ 2018-07-08 14:01 UTC (permalink / raw
To: gentoo-dev; +Cc: robbat2
[-- Attachment #1: Type: text/plain, Size: 865 bytes --]
W dniu nie, 08.07.2018 o godzinie 15∶06 +0200, użytkownik Kristian
Fiskerstrand napisał:
> On 07/07/2018 03:11 PM, Michał Górny wrote:
> > > > 1. SHA2-series output digest (SHA1 digests internally permitted),
> > > > 256bit or more::
> > > > personal-digest-preferences SHA256
> > >
> > > Is the config line still needed with current GnuPG versions?
> >
> > I'll let others answer that. In any case, the point itself (requiring
> > SHA-2 digest) makes sense. The RiseUp standard requires all self-
> > signatures to be SHA-2, and I was planning on verifying that as well.
> >
>
> no, SHA256 in this context is already default, and it doesn't impact
> cert-algo that you seem to go on about.
>
Ok, I've removed this other bit too. I'll wait for more comments before
submitting v5.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2018-07-08 14:01 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-07 5:56 [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 02/14] glep-0063: RSAv4 -> OpenPGP v4 key format Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 03/14] glep-0063: 'Gentoo subkey' → 'Signing subkey' Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 04/14] glep-0063: Root key → primary key Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 05/14] glep-0063: Split out the signing subkey into a separate point Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 06/14] glep-0063: Explain minimal & recommended sections Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 07/14] glep-0063: Change the recommended RSA key size to 2048 bits Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 08/14] glep-0063: Allow ECC curve 25519 keys Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 09/14] glep-0063: Stop recommending DSA subkeys Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 10/14] glep-0063: Update and unify expiration term Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 11/14] glep-0063: Require renewal 2 weeks before expiration Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 12/14] glep-0063: Disallow using DSA keys Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 13/14] glep-0063: Remove whitespace from LDAP field Michał Górny
2018-07-07 12:27 ` Ulrich Mueller
2018-07-07 13:07 ` Michał Górny
2018-07-07 5:56 ` [gentoo-dev] [PATCH v4 14/14] glep-0063: Remove recommended gpg.conf Michał Górny
2018-07-07 12:17 ` [gentoo-dev] [PATCH v4 00/14] GLEP 63 update Ulrich Mueller
2018-07-07 13:11 ` Michał Górny
2018-07-07 14:20 ` Ulrich Mueller
2018-07-08 13:06 ` Kristian Fiskerstrand
2018-07-08 14:01 ` Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox