Given that the key expiration can be updated in place, there is no reason to provide separate 'minimal' and 'recommended' values. --- glep-0063.rst | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst index e81c862..7455674 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -6,7 +6,7 @@ Author: Robin H. Johnson <robb...@gentoo.org>, Marissa Fischer <blogtodif...@gmail.com> Type: Standards Track Status: Final -Version: 1.1 +Version: 2 Created: 2013-02-18 Last-Modified: 2018-07-04 Post-History: 2013-11-10 @@ -27,6 +27,11 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2 + The recommended key expiration rules have been moved to the minimal + specification. Changing the expiration date of existing keys is possible + in-place so there is no need to provide for transitional 'minimum' value. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -71,7 +76,11 @@ not be used to commit. c. ECC, curve 25519 -3. Key expiry: 5 years maximum +3. Key expiration: + + a. Primary key: 3 years maximum + + b. Gentoo subkey: 1 year maximum 4. Upload your key to the SKS keyserver rotation before usage! @@ -128,11 +137,11 @@ their primary key). 2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiry: +3. Key expiration renewal: - a. Primary key: 3 years maximum, expiry date renewed annually. + a. Primary key: annual - b. Gentoo subkey: 1 year maximum, expiry date renewed every 6 months. + b. Gentoo subkey: every 6 months 4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -- 2.18.0