Given that the key expiration can be updated in place, there is
no reason to provide separate 'minimal' and 'recommended' values.
---
glep-0063.rst | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index e81c862..7455674 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -6,7 +6,7 @@ Author: Robin H. Johnson <robb...@gentoo.org>,
Marissa Fischer <blogtodif...@gmail.com>
Type: Standards Track
Status: Final
-Version: 1.1
+Version: 2
Created: 2013-02-18
Last-Modified: 2018-07-04
Post-History: 2013-11-10
@@ -27,6 +27,11 @@ OpenPGP key management policies for the Gentoo Linux
distribution.
Changes
=======
+v2
+ The recommended key expiration rules have been moved to the minimal
+ specification. Changing the expiration date of existing keys is possible
+ in-place so there is no need to provide for transitional 'minimum' value.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -71,7 +76,11 @@ not be used to commit.
c. ECC, curve 25519
-3. Key expiry: 5 years maximum
+3. Key expiration:
+
+ a. Primary key: 3 years maximum
+
+ b. Gentoo subkey: 1 year maximum
4. Upload your key to the SKS keyserver rotation before usage!
@@ -128,11 +137,11 @@ their primary key).
2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
-3. Key expiry:
+3. Key expiration renewal:
- a. Primary key: 3 years maximum, expiry date renewed annually.
+ a. Primary key: annual
- b. Gentoo subkey: 1 year maximum, expiry date renewed every 6 months.
+ b. Gentoo subkey: every 6 months
4. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
--
2.18.0
