Le vendredi 14 août 2020 à 01:10:02+0200, Ángel a écrit : > On 2020-08-13 at 16:43 +0200, Pierre-Elliott Bécue wrote: > > > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire` > > > option in that effect. Expired certification signatures will be > > > ignored when building the Web of Trust. > > > > > > Cheers > > > > This could work, but we'd have to handle the case when developers > > forget to set a signature as time-limited/don't follow this thread and > > never care to set it up. > > > > I'd rather avoid relying on signatures, than making the meaning of > > signature quite less tangible. > > > I don't see your point. We have a general standard or what to require > for signing, and this thread started asking about weaking them due to > the pandemic. > > Limiting the time the signature is valid is a time-limited way to do > that. And it is a cryptographic one, which is a very nice feature. > I would like to have some common notation so that the standard used > could be tracked, too. > > If a developer is going to forget how to do a "weak value" signature, he > should probably stick to the standards he has generally used, but > anyway, if someone wanted to do a limited-time signature but forgot the > parameter, he should do exactly the same as if he signed Eve key while > intending to sing Alice's: revoke the wrong signature and create a new > one.
I fully agree on the principle, but there is a big hiatus between what some do with their GPG key and what others do. Without being judgmental, I think this spectre of ways to do things has to be taken into account before giving any project-wide directives regarding identity certification. Cheers, -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
signature.asc
Description: PGP signature
