From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 914DC138334 for ; Sun, 24 Feb 2019 16:02:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 63349E08E8; Sun, 24 Feb 2019 16:02:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2ECB6E08E5 for ; Sun, 24 Feb 2019 16:02:44 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id A2505335C8C; Sun, 24 Feb 2019 16:02:34 +0000 (UTC) Message-ID: <1551024143.21411.2.camel@gentoo.org> Subject: Re: [gentoo-project] [pre-GLEP RFC] New GLEP: Gentoo OpenPGP Authority Keys From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Sun, 24 Feb 2019 17:02:23 +0100 In-Reply-To: References: <20190224141356.7707-1-mgorny@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-kj+TVBi7T5JmSjdvm1Vy" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: 346b3c6a-3285-45e1-a5d2-c71dcb469bb6 X-Archives-Hash: 892fd94612ab6ea77995531de3470327 --=-kj+TVBi7T5JmSjdvm1Vy Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2019-02-24 at 09:38 -0500, Rich Freeman wrote: > Overall, really good - just have a few comments for consideration > regarding expiration management. >=20 > On Sun, Feb 24, 2019 at 9:13 AM Micha=C5=82 G=C3=B3rny wrote: > >=20 > > +Whenever an old signature expires, a new one is automatically created. >=20 > Unless this is just intended as loose wording, I'd suggest extending > expirations before keys expire, that way if keyservers are > inaccessible or users are offline there isn't as much exposure to a > period of non-validity. >=20 > Perhaps renew signatures a month prior to expiry, assuming the key has > remaining validity beyond the expiration date. It's intended to be loose. There's no reason to force specific implementation details here; I just indicate that renewing is necessary. >=20 > > +The L2 Authority Keys are used directly to sign developer keys. Since > > +they are used in an automated service, they are exposed to attacks. > > +They are trust-signed by the L1 key and can be revoked and rotated mor= e > > +frequently than the L1 key. >=20 > If we're going to rotate the L2 keys, then likewise I'd consider > managing a period of overlapping validity. That is: This only means rotating as a result of revocation. Which is not something we're going to predict up front. Well, technically we could have a replacement key prepared up front and kept secure but, again, that doesn't belong in the GLEP. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-kj+TVBi7T5JmSjdvm1Vy Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlxywA9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQrWrw//dau6FW025dH7XnxptI6GBv+TqJ0Uaf9p9qgBw6YjI9r4+ifpc1VJC3Vp CwH38WPDTX+oaN6HQNcdJ5i8o2C7xsMJEwXJjF9xpBOmLMUHMV2/aL2LhXGMgi36 KjwwqJhKxviRg/ocYf5YgaRytM/+w5qRArPCTbINxuGHbM9xSFrJkriPFIbzCOyA /PtiSYH+YS/txvhXqHEirmQlz7Tb1UTTFmWjS2wLgbsZk1cNlDHo+JJwszDs3Wwn 4FKgm1l+d0brDNiDIVbFxLKyqJ9HbF9zrhTXFezV3SJuEx6sizTsB4+vcVTP3B1G ngF10EDoIH46z6ntaJA8msKeX2jkR9hpaTcvkpz/WlWlwRiZFedZEuTJEPnnNDLL +FkbBAWkEHqcuhYg2waTwVQFOhN7Qe/td0O20CYgj1qhTmDLgEHsc+WAhn52t/lS kkw+9z+ArmNxQt6+F7SC9HdQD3ftmHj3m2s7V83KXFQ+XIGMWD7sdJVlq3sKXbDE nlpOapJaSxkLfGm96GT5QnFtQjCVK6HnyQEpzlOopYak/zPZq1eJwiA6QXddRKlj WJi3cVTpfJ6DvSH6A/PX2yiSq9UHy9GSqjpYsp1W4vSOZ+nhOHpFLtX9RtlF9HJS A/FMHmfhPH1VsdPNoflzZf62LfgFCR7LQMhs1ScPaePubzmWz2A= =yfBX -----END PGP SIGNATURE----- --=-kj+TVBi7T5JmSjdvm1Vy--