Gentoo Archives: gentoo-dev

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards
Date: Thu, 25 Apr 2019 12:56:19
Message-Id: 8a9bc0dd-0cb8-a853-6358-8ca1b05e9f88@gentoo.org
In Reply to: [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards by Rich Freeman
1 On 25.04.2019 14:32, Rich Freeman wrote:
2 > [snip]
3
4 > Patch follows:
5 >
6 >
7 > diff --git a/glep-0063-v3.rst b/glep-0063-v3.rst
8 > index 5895873..86e5fd9 100644
9 > --- a/glep-0063-v3.rst
10 > +++ b/glep-0063-v3.rst
11 > @@ -12,6 +12,12 @@ OpenPGP key management policies for the Gentoo
12 > Linux distribution.
13 > Changes
14 > =======
15 >
16 > +v3
17 > + The requirement to have a separate signing and primary key was removed
18 > + in the case of keys generated/stored on smartcards, to encourage the use
19 > + of these keys, and acknowledging that the main use case for a separate
20 > + primary key is largely fulfilled by having all the keys stay offline.
21 > +
22 > v2
23 > The distinct minimal and recommended expirations have been replaced
24 > by a single requirement. The rules have been simplified to use
25 > @@ -69,7 +75,8 @@ not be used to commit.
26 > at least 256-bit. All subkey self-signatures must use this digest.
27 >
28 > 2. Signing subkey that is different from the primary key, and does not
29 > - have any other capabilities enabled.
30 > + have any other capabilities enabled. This requirement does not apply
31 > + if the primary key was generated on a smartcard.
32 >
33 > 3. Primary key and the signing subkey are both of type EITHER:
34 >
35 >
36 >
37 I strongly disagree with this change. If you generated your keys
38 straight on the device you are not able to make a backup later.
39 The best practice here is to have a separate USB stick that is never
40 used for purposes other than private keys storing.
41 Also paperkey backups should serve as the last resort.

Attachments

File name MIME type
signature.asc application/pgp-signature