Reword the specification to express the requirement for separate signing
subkey more verbosely. Replace the ambiguous term 'dedicated' with
clear explanation that it needs to be different from the primary key
and not used for other purposes.
Suggested-by: Kristian Fiskerstrand <k...@gentoo.org>
---
glep-0063.rst | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index d3e12e0..2f4e7f8 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -74,22 +74,25 @@ not be used to commit.
personal-digest-preferences SHA256
-2. Primary key and a dedicated signing subkey, both of EITHER:
+2. Signing subkey that is different from the primary key, and does not
+ have any other capabilities enabled.
+
+3. Primary key and the signing subkey are both of type EITHER:
a. RSA, >=2048 bits (OpenPGP v4 key format or later only)
b. ECC, curve 25519
-3. Key expiration:
+4. Key expiration:
a. Primary key: 3 years maximum
b. Signing subkey: 1 year maximum
-4. Key expiration date renewed at least 2 weeks before the previous
+5. Key expiration date renewed at least 2 weeks before the previous
expiration date.
-5. Upload your key to the SKS keyserver rotation before usage!
+6. Upload your key to the SKS keyserver rotation before usage!
Recommendations
---------------
@@ -141,7 +144,7 @@ their primary key).
# when making an OpenPGP certification, use a stronger digest than the
default SHA1:
cert-digest-algo SHA256
-2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits
+2. Primary key and the signing subkey are both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
3. Key expiration renewal:
--
2.18.0
