W dniu pią, 06.07.2018 o godzinie 06∶08 +0000, użytkownik Robin H. Johnson napisał: > On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: > > > > > > > On Thu, 5 Jul 2018, Michał Górny wrote: > > > Replace the disjoint 'minimum' and 'recommendation' for expiration > > > with a single requirement. Make it 2 years. Also, remove disjoint > > > expiration recommendation for the primary key and subkeys since many > > > developers fail at implementing that anyway. > > > > Still NACK. If expiration is exactly 2 years and renewal must happen > > 2 weeks before the expiry date, then it is not possible to keep the > > same date. > > > > Example: The key will expire at 2018-12-31, so it must be renewed at > > 2018-12-17 or earlier. This will make it impossible to keep the same > > month and day (unless one would reset it to 2019-12-31, which is only > > one year though). > > > > So please, make it something like 2 years + 3 months. > > option a) > 2 years + N: > 2 weeks <= N <= 3 months. > > option b) > Change the wording to be 'at most 2 years' instead of 'exactly 2 years'.
That *is* the wording. > Separately: > Is two weeks enough time for a new key distribution to users? I originally wanted to specify one month but k_f insisted on something shorter. 2 weeks were the compromise we agreed on. That said, I'd say weekly 'gpg --refresh' is what we should recommend as the bare minimum. That said, the point of two weeks is mostly to give us time to remind developers that their key is expiring and to give them time to actually read their mail and do it before it actually expires. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
