diff options
author | Michał Górny <mgorny@gentoo.org> | 2018-07-04 12:03:57 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2018-07-29 22:07:26 +0200 |
commit | 4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497 (patch) | |
tree | 3d8a0ed5e08d69cc9faf77344fc5c8257ac077a5 /glep-0063.rst | |
parent | glep-0063: Stop recommending DSA subkeys (diff) | |
download | glep-4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497.tar.gz glep-4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497.tar.bz2 glep-4c6ee94a5f65ade7ea61fe5f6dd7eb55adbc5497.zip |
glep-0063: Update and unify expiration term
Replace the disjoint 'minimum' and 'recommendation' for expiration with
a single requirement. Make it 2.5 years with recommended annual renewal
to a fixed day of the year (2 years + some grace time for renewal).
Also, remove disjoint expiration recommendation for the primary key
and subkeys since many developers fail at implementing that anyway.
Diffstat (limited to 'glep-0063.rst')
-rw-r--r-- | glep-0063.rst | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/glep-0063.rst b/glep-0063.rst index 7f870bb..9ba778b 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@gentoo.org>, Michał Górny <mgorny@gentoo.org> Type: Standards Track Status: Final -Version: 1.1 +Version: 2 Created: 2013-02-18 Last-Modified: 2018-07-07 Post-History: 2013-11-10 @@ -28,6 +28,11 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2 + The distinct minimal and recommended expirations have been replaced + by a single requirement. The rules have been simplified to use + the same maximum time of 900 days for both the primary key and subkeys. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -75,7 +80,8 @@ not be used to commit. c. ECC curve 25519 -4. Key expiry: 5 years maximum +4. Expiration date on key and all subkeys set to no more than 900 days + into the future 5. Upload your key to the SKS keyserver rotation before usage! @@ -132,11 +138,7 @@ their primary key). 2. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiry: - - a. Primary key: 3 years maximum, expiry date renewed annually. - - b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. +3. Key expiration renewed annually to a fixed day of the year 4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). |