From: Rich Freeman <rich0@gentoo.org>
To: gentoo-project <gentoo-project@lists.gentoo.org>
Subject: Re: [gentoo-project] [pre-GLEP RFC] New GLEP: Gentoo OpenPGP Authority Keys
Date: Sun, 24 Feb 2019 09:38:59 -0500 [thread overview]
Message-ID: <CAGfcS_=2LSNpKoJOLuNEdXKJBgTOOb3=ojU=fn3GsW-scFn1xQ@mail.gmail.com> (raw)
In-Reply-To: <20190224141356.7707-1-mgorny@gentoo.org>
Overall, really good - just have a few comments for consideration
regarding expiration management.
On Sun, Feb 24, 2019 at 9:13 AM Michał Górny <mgorny@gentoo.org> wrote:
>
> +Whenever an old signature expires, a new one is automatically created.
Unless this is just intended as loose wording, I'd suggest extending
expirations before keys expire, that way if keyservers are
inaccessible or users are offline there isn't as much exposure to a
period of non-validity.
Perhaps renew signatures a month prior to expiry, assuming the key has
remaining validity beyond the expiration date.
> +The L2 Authority Keys are used directly to sign developer keys. Since
> +they are used in an automated service, they are exposed to attacks.
> +They are trust-signed by the L1 key and can be revoked and rotated more
> +frequently than the L1 key.
If we're going to rotate the L2 keys, then likewise I'd consider
managing a period of overlapping validity. That is:
1. Generate new L2 key and sign with L1 when L2 has at least 30 days
expiry remaining.
2. Re-sign all dev keys with new L2 key and use the L2 key
exclusively going forward.
3. Wait 30 days.
4. Revoke old L2 key, or allow to expire. Destroy or archive old L2
private key.
This could be trivially implemented by simply not expiring the old L2
key and replacing it a month before it expires, and set the new L2
expiration in line with the rotation strategy.
Rationale:
a. Again, keyservers sometimes are offline, or users are offline, so
overlapping validity means that users are less exposed to invalid
signatures during an instantaneous transition period.
b. No need to continue to sign with the old L2 key during the
transition since users would get the new L2 key at the same time that
they would have gotten any new signatures made by the old key.
My comment is not intended to argue for/against the need for L2 key
rotation in the first place, just suggest that it be managed in a more
graceful manner if it is performed.
I also acknowledge that these comments might be more granular than
intended by the GLEP and suitably generic wording is fine, or perhaps
the original GLEP was already intended to be inclusive of this option.
--
Rich
next prev parent reply other threads:[~2019-02-24 14:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-24 14:13 [gentoo-project] [pre-GLEP RFC] New GLEP: Gentoo OpenPGP Authority Keys Michał Górny
2019-02-24 14:38 ` Rich Freeman [this message]
2019-02-24 16:02 ` Michał Górny
2019-02-24 17:04 ` Alec Warner
2019-02-24 17:10 ` Michał Górny
2019-02-24 17:35 ` Alec Warner
2019-03-10 16:53 ` Thomas Deutschmann
2019-03-10 18:16 ` Michał Górny
2019-03-10 18:46 ` Alec Warner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGfcS_=2LSNpKoJOLuNEdXKJBgTOOb3=ojU=fn3GsW-scFn1xQ@mail.gmail.com' \
--to=rich0@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox