Re: [gentoo-dev] validity of manifest signing key
* Dane Smith schrieb am 25.03.11 um 12:35 Uhr: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/25/2011 05:47 AM, Thomas Kahle wrote: Hi, it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? -) Extend expiry date and upload again? -) Create new key (and sign with ?? ) ? Cheers, Thomas Traditionally you start using your new key the day your old key expires. Do you really mean a new key? This is not required. You can extend the validity once you come close the expiry date (or do it after the key has expired). -Marc -- 8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134 pgpdh6JJi913n.pgp Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
Hi, I was signing my commits since I am a dev, but I just discovered that I only do sha1 signing. How do I switch to sha256 signing? justin signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] validity of manifest signing key
On Sat, 25 Jun 2011 09:37:55 +0200 justin j...@gentoo.org wrote: I was signing my commits since I am a dev, but I just discovered that I only do sha1 signing. How do I switch to sha256 signing? $ grep digest ~/.gnupg/gpg.conf personal-digest-preferences sha256,sha512,sha1,ripemd160,md5 -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
On 3/25/11 8:00 PM, Mike Frysinger wrote: i wasnt aware you could extend the expiration date of a key. that sort of defeats the purpose of having an expiration date doesnt it ? then someone could steal your expired key, extend the date, and keep using it. I think that's one more reason for revocation certificates. By the way, an expiration date that can be extended is still useful. It can serve as a dead-man switch in case you lose the private key, see https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#set-an-expiration-date-if-you-do-not-have-one. In other words, an expiration date that can be extended is still safer than no expiration date at all, and is almost as convenient (transition to a new key generally is somewhat inconvenient). signature.asc Description: OpenPGP digital signature
[gentoo-dev] validity of manifest signing key
Hi, it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? -) Extend expiry date and upload again? -) Create new key (and sign with ?? ) ? Cheers, Thomas -- Thomas Kahle http://dev.gentoo.org/~tomka/ pgprlbCcoAiMa.pgp Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
Thomas Kahle dixit (2011-03-25, 10:47): it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? “After size comes the expiration date. Here smaller is better, but most users can go for a key that never expires or to something like 2 or 3 years.” Can't find anything about 6 months. -- [a] pgpOdw1UNZ1IL.pgp Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
On Fri, 2011-03-25 at 10:55 +0100, Antoni Grzymala wrote: Thomas Kahle dixit (2011-03-25, 10:47): it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? “After size comes the expiration date. Here smaller is better, but most users can go for a key that never expires or to something like 2 or 3 years.” Can't find anything about 6 months. He prolly wanted to post http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2chap=6
Re: [gentoo-dev] validity of manifest signing key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/25/2011 05:47 AM, Thomas Kahle wrote: Hi, it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? -) Extend expiry date and upload again? -) Create new key (and sign with ?? ) ? Cheers, Thomas Traditionally you start using your new key the day your old key expires. Having said that, 6 months seems a little paranoid, even by my standards. (And I'm a professional paranoid) I'd say for a developer, ~ 1 year is more than adequate. - -- Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531op=index -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNjH4PAAoJEEsurZwMLhUxeKIQAIhZr9Q4cVQtD5Ru9tgral8z bmdhFUrOEKo61H9/3KTgy8KowSNDm0UK+IoPEN/n8q/qMsu/0Ni0NHIJGZE6Lrbw zxp4RpAQ8KQhWKXLppTVqedXLBChX5v6wGQJXlpd8xFg/drKTPo9U/r+W2F9Zs8n bLmSzYnJqwd1NYBqBx4F4Vgdq2RO2iqugPMc8igNGvARjJirwcoJ32tqVq64rGke NYrnjBaYV0EiexpS4crQRX3Ggf29CVgGlWnKKLLD5Nql3wmgT5P9DZASE0K2Pj5f rmjjzNwq12YJN4UkJanbE+5c1Vd5FPk+k2RLMuLrQr8j8jUn/DzrY8NU3F5ioHV2 kvS/4W5uJ3h9xQYG5RzNek9ydYn3Be2T5+nXxZQJmaGZO56qeh1CRQSMRh6LI7Ys /2KkIVsskJHt0IV+NSnc0KmleZbmWfXP1GkexZNDrswHTJ4HuTKuPYHxsIX8gvqO zqPY+UxlQrj5esRUD1VBKbsi+J88zaT931sgHmeyLM55kBoA8zlZ6ZCI9PkzbfFg fL74+qVn7hsVgFvI8C8PSCBpoCpxC6wNnJIG5Uz+NiZouEUB3i8W0HqqB1YI+67L Pbbtc9/EREv1HQwDgM870ReYM1Fa/+qnl7TwcbhilkgzkSjXUjqinzuuwyGYw6ad C3J0KAcCRr1XfjJQaY5k =a5EG -END PGP SIGNATURE-
Re: [gentoo-dev] validity of manifest signing key
On Fri, 25 Mar 2011 10:47:19 +0100 Thomas Kahle to...@gentoo.org wrote: it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? I'd say that should be changed. With keys changing every half a year, we're soon going to have a tree spammed with Manifests signed using expired keys. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? I'd say that should be changed. With keys changing every half a year, we're soon going to have a tree spammed with Manifests signed using expired keys. Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration). -- Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfri...@gentoo.org http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] validity of manifest signing key
On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote: it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? I'd say that should be changed. With keys changing every half a year, we're soon going to have a tree spammed with Manifests signed using expired keys. Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration). it does not. the only thing that matters when checking signatures is that the key was valid *when the signature was made*. the fact that you're checking the signature years after the key expired is irrelevant. -mike
Re: [gentoo-dev] validity of manifest signing key
On Fri, Mar 25, 2011 at 5:47 AM, Thomas Kahle wrote: it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? -) Extend expiry date and upload again? i wasnt aware you could extend the expiration date of a key. that sort of defeats the purpose of having an expiration date doesnt it ? then someone could steal your expired key, extend the date, and keep using it. -mike
Re: [gentoo-dev] validity of manifest signing key
On Fri, Mar 25, 2011 at 10:47:19AM +0100, Thomas Kahle wrote: Hi, it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 that the validity should be 6 month. What is the protocol when the expiry date is approaching? -) Extend expiry date and upload again? Extend it and make sure you upload. Also, I propose we change the suggested validity time to 1 or 2 years, due to the implications on key-signing (certifications): Specifically, GPG/PGP as a protocol, requires that your certification expires on or before the key at the time of signing the key. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgpsAWbXoJpFj.pgp Description: PGP signature
Re: [gentoo-dev] validity of manifest signing key
-) Extend expiry date and upload again? i wasnt aware you could extend the expiration date of a key. that sort of defeats the purpose of having an expiration date doesnt it ? then someone could steal your expired key, extend the date, and keep using it. The expiration date is a property of the self-signature. If you can re-do the self-signature (i.e. you have access to the secret key), you can extend the expiration date. If someone steals your expired key, *and* has full access to the secret part- yes, then he can reactivate it. If you want to permanently disable your key, you should generate a revocation certificate (which is also a signature). AFAIK, there is no way to revoke a revocation. -- Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfri...@gentoo.org http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] validity of manifest signing key
On Fri, Mar 25, 2011 at 12:35 PM, Robin H. Johnson wrote: Also, I propose we change the suggested validity time to 1 or 2 years, sounds reasonable to me. ive been 1 year for a while anyways as the 6 month one got to be annoying. -mike