Reword the specification to express the requirement for separate signing subkey more verbosely. Replace the ambiguous term 'dedicated' with clear explanation that it needs to be different from the primary key and not used for other purposes.
Suggested-by: Kristian Fiskerstrand <k...@gentoo.org> --- glep-0063.rst | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index d3e12e0..2f4e7f8 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -74,22 +74,25 @@ not be used to commit. personal-digest-preferences SHA256 -2. Primary key and a dedicated signing subkey, both of EITHER: +2. Signing subkey that is different from the primary key, and does not + have any other capabilities enabled. + +3. Primary key and the signing subkey are both of type EITHER: a. RSA, >=2048 bits (OpenPGP v4 key format or later only) b. ECC, curve 25519 -3. Key expiration: +4. Key expiration: a. Primary key: 3 years maximum b. Signing subkey: 1 year maximum -4. Key expiration date renewed at least 2 weeks before the previous +5. Key expiration date renewed at least 2 weeks before the previous expiration date. -5. Upload your key to the SKS keyserver rotation before usage! +6. Upload your key to the SKS keyserver rotation before usage! Recommendations --------------- @@ -141,7 +144,7 @@ their primary key). # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 -2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits +2. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) 3. Key expiration renewal: -- 2.18.0