Replace the disjoint 'minimum' and 'recommendation' for expiration with a single requirement. Make it 2 years. Also, remove disjoint expiration recommendation for the primary key and subkeys since many developers fail at implementing that anyway. --- glep-0063.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst index 8c3dd1b..0fdf5ed 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -6,7 +6,7 @@ Author: Robin H. Johnson <[email protected]>, Marissa Fischer <[email protected]> Type: Standards Track Status: Final -Version: 1.1 +Version: 2 Created: 2013-02-18 Last-Modified: 2018-07-05 Post-History: 2013-11-10 @@ -27,6 +27,11 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2 + The distinct minimal and recommended expirations have been replaced + by a single requirement. The rules have been simplified to use + the same time of 2 years for both the primary key and subkeys. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -74,7 +79,7 @@ not be used to commit. c. ECC curve 25519 -4. Key expiry: 5 years maximum +4. Expiration date on key and all subkeys set to at most 2 years 5. Upload your key to the SKS keyserver rotation before usage! @@ -131,11 +136,7 @@ their primary key). 2. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiry: - - a. Primary key: 3 years maximum, expiry date renewed annually. - - b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. +3. Key expiration renewed annually 4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -- 2.18.0
