From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-45075-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Q4B2g-0004tl-UJ
	for garchives@archives.gentoo.org; Mon, 28 Mar 2011 11:55:31 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B36E61C03C;
	Mon, 28 Mar 2011 11:55:21 +0000 (UTC)
Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id B01EA1C011
	for <gentoo-dev@lists.gentoo.org>; Mon, 28 Mar 2011 11:54:57 +0000 (UTC)
Received: by wyi11 with SMTP id 11so2847770wyi.40
        for <gentoo-dev@lists.gentoo.org>; Mon, 28 Mar 2011 04:54:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=HuVRZHoMJUG+k8AqAFjc2iyLz9J6hWUUgO21pl5cyVw=;
        b=txoIFqnHB54zuUsbW6LqMg0vTlABOIuVxYOu7T6wGKKu7Lkth+pevf/v/HwPIbnta7
         P3maIJIcFAIi5ZpHIVw4+Y91j11Sj7m0U61BecYqYs1IlatSXicI82ViOM1QKifyrHIJ
         QcA3/N2QgUYwIbAvdnW39us2hzcHXVn2/n1uk=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        b=onj2zIkhie1VW+Fu9RRJseb6kBi3OsYqElFFhhmM5BMSgAijd7S7znjipYrpiqJVAA
         dOjpqYoWz6N0s1WibC9mnHDI4geSG+FJdMml1HvatdvRigzgVh6+fLrvaPvMS9+OByRY
         5u3KskHh81e+sQHVfoEjRjF8y80HjPDsNzMms=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.227.130.130 with SMTP id t2mr3853283wbs.7.1301313296801; Mon,
 28 Mar 2011 04:54:56 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.227.157.137 with HTTP; Mon, 28 Mar 2011 04:54:56 -0700 (PDT)
In-Reply-To: <4D8FF6D0.5050008@gentoo.org>
References: <AANLkTi=4o69ytUxAVpy-O31AWQv-5p4bEWD2466NWYGx@mail.gmail.com>
	<AANLkTimmECB=UhzsdADS4C7J+JvYBnYCTB+zxty3mr+X@mail.gmail.com>
	<4D8FF6D0.5050008@gentoo.org>
Date: Mon, 28 Mar 2011 07:54:56 -0400
X-Google-Sender-Auth: 68pivpnHTpicUWqiRK7BxRSbFvk
Message-ID: <AANLkTika1duNMKO7kgozxg_hUpFKSNH=6K2DrQgnteLu@mail.gmail.com>
Subject: Re: [gentoo-dev] Re: rejecting unsigned commits
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Kumba <kumba@gentoo.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: 13e2166ae11d09d2d95ecf85927259f7

On Sun, Mar 27, 2011 at 10:47 PM, Kumba <kumba@gentoo.org> wrote:
> 1. How can I revoke the old key? =A0The revocation cert is probably on th=
e
> same drive.

You can't.  You need the private key to generate a revocation
certificate.  The best you might be able to do is ask keyserver admins
to remove it manually, or try to recover the key.

Or crack RSA...  :)

This is one of the reasons PKI is painful.

>
> 2. The dev manual states not to create a key with an expiration longer th=
an
> 6 months. =A0How does this impact items signed already if the key has to =
be
> replaced bi-annually? (I suspect I'm not fully grasping something here w/=
r
> to GPG).

When gpg verifies signatures it takes into account the date the
signature was performed.  So, after this date the key is not valid for
new signatures.

Expiration dates are more about receiving encrypted data than sending
it.  Basically it tells people who have your public key to please be
nice and not use this key after this date, that way I don't need to
keep a copy of old keys until the end of time just in case.  In your
case, when your old key expires you will no longer need to worry about
getting an encrypted email you can't read.

They provide no security for stolen keys, since the date can be
changed if you have access to the private key.  This is in contrast to
SSL certificates, where the CA key would be needed to do this.  With
SSL the expiry is more about the CA than the key itself.  The only
security mechanism for stolen certs is revocation.

>
> 3. If I'm going to start using GPG, I might as well use it for a few thin=
gs.
> Anyone got pointers for cross-platform use, i.e., Thunderbird on Windows?

Enigmail.  Haven't actually used it on windows but it is pretty
transparent and I believe it supports windows.  No graceful solution
to keyring management that I know of, except that the same files
should work on both platforms, and either platform can merge two
keyring files which should make syncs easy (you're generally only
adding to them all the time).

Rich