| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following the recent mailing list discussion indicating that developers
are taking GLEP 63 as only source of truth about OpenPGP keys, and can
make assumption that if encryption key is not listed there they should
not have one. Amend the specification to extend it beyond the previous
limited scope of commit signing, and require an encryption key
appropriately. This matches the GnuPG defaults.
While at it, add a recommendation that the primary key is certify-only.
Other usage is implicitly discouraged anyway via requiring subkeys.
Originally this recommendation was omitted as I wasn't aware that gpg
had a (hidden) option to change usage of existing keys.
Closes: https://bugs.gentoo.org/681802
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Ulrich Müller <ulm@gentoo.org>
|
| |
|
| |
|
|
|
|
| |
Requested-by: Ulrich Müller <ulm@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Remove the gpg.conf bits from recommended and minimal specification.
Apparently they are seriously obsolete and worse than the modern
defaults. While at it, editorial corrections to 'SHA2' bit.
Requested-by: Richard Yao <ryao@gentoo.org>
|
|
|
|
| |
Requested-by: Robin H. Johnson <robbat2@gentoo.org>
|
|
|
|
|
|
| |
There really is no technical reason to use DSA keys and people who are
still using old DSA keys should finally replace them, so remove them
from the minimal requirements.
|
|
|
|
|
| |
Add a rule requesting renewal of keys at least two weeks before their
expiration date, in order to give services time to refresh.
|
|
|
|
|
|
|
|
| |
Replace the disjoint 'minimum' and 'recommendation' for expiration with
a single requirement. Make it 2.5 years with recommended annual renewal
to a fixed day of the year (2 years + some grace time for renewal).
Also, remove disjoint expiration recommendation for the primary key
and subkeys since many developers fail at implementing that anyway.
|
|
|
|
|
|
| |
There is really no technical reason to use DSA these days, and we should
focus on having a single recommendation. DSA keys are still permitted
via 'minimal' requirements.
|
|
|
|
|
|
|
| |
Optionally allow using ECC curve 25519 keys. We already have
developers using those keys, and given that they are supported
by GnuPG 2.2, there's probably no reason to ban them. However, they're
not recommended due to interoperability issues.
|
|
|
|
|
|
|
| |
Change the recommended key size recommendation for RSA from 4096 bits
to 2048 bits. Use of larger keys is unjustified due to negligible gain
in security, and recommending RSA-4096 unnecessarily resulted
in developers replacing their RSA-2048 keys for no good reason.
|
| |
|
|
|
|
|
|
|
|
|
| |
Reword the specification to express the requirement for separate signing
subkey more verbosely. Replace the ambiguous term 'dedicated' with
clear explanation that it needs to be different from the primary key
and not used for other purposes.
Suggested-by: Kristian Fiskerstrand <k_f@gentoo.org>
|
|
|
|
|
| |
Replace the custom term 'root key' with much more common 'primary key'.
This is also the term used in GnuPG output.
|
|
|
|
|
|
|
|
| |
Replace the 'Gentoo subkey' term that might wrongly suggest that
the developers are expected to create an additional, dedicated subkey
for Gentoo.
Suggested-by: Kristian Fiskerstrand <k_f@gentoo.org>
|
|
|
|
|
|
|
|
| |
Replace the 'RSAv4' with 'OpenPGP v4 key format'. The RSA algorithm
does not really have versions, and the author most likely meant the v4
of OpenPGP key format as outlined in RFC 4880, section 12.1.
This was figured out and explained to me by Kristian Fiskerstrand.
|
|
|
|
|
|
| |
Replace many of the incorrect uses of GPG/GnuPG [key] with OpenPGP.
G[nu]PG has been left where the text clearly refers to the specific
implementation of OpenPGP rather than the standard itself.
|
|
|
|
|
|
|
| |
As with my other GLEPs (57-61), document the copyright owners, for
future relicensing.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
|