1 |
Reword the specification to express the requirement for separate signing |
2 |
subkey more verbosely. Replace the ambiguous term 'dedicated' with |
3 |
clear explanation that it needs to be different from the primary key |
4 |
and not used for other purposes. |
5 |
|
6 |
Suggested-by: Kristian Fiskerstrand <k_f@g.o> |
7 |
--- |
8 |
glep-0063.rst | 13 ++++++++----- |
9 |
1 file changed, 8 insertions(+), 5 deletions(-) |
10 |
|
11 |
diff --git a/glep-0063.rst b/glep-0063.rst |
12 |
index d3e12e0..2f4e7f8 100644 |
13 |
--- a/glep-0063.rst |
14 |
+++ b/glep-0063.rst |
15 |
@@ -74,22 +74,25 @@ not be used to commit. |
16 |
|
17 |
personal-digest-preferences SHA256 |
18 |
|
19 |
-2. Primary key and a dedicated signing subkey, both of EITHER: |
20 |
+2. Signing subkey that is different from the primary key, and does not |
21 |
+ have any other capabilities enabled. |
22 |
+ |
23 |
+3. Primary key and the signing subkey are both of type EITHER: |
24 |
|
25 |
a. RSA, >=2048 bits (OpenPGP v4 key format or later only) |
26 |
|
27 |
b. ECC, curve 25519 |
28 |
|
29 |
-3. Key expiration: |
30 |
+4. Key expiration: |
31 |
|
32 |
a. Primary key: 3 years maximum |
33 |
|
34 |
b. Signing subkey: 1 year maximum |
35 |
|
36 |
-4. Key expiration date renewed at least 2 weeks before the previous |
37 |
+5. Key expiration date renewed at least 2 weeks before the previous |
38 |
expiration date. |
39 |
|
40 |
-5. Upload your key to the SKS keyserver rotation before usage! |
41 |
+6. Upload your key to the SKS keyserver rotation before usage! |
42 |
|
43 |
Recommendations |
44 |
--------------- |
45 |
@@ -141,7 +144,7 @@ their primary key). |
46 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
47 |
cert-digest-algo SHA256 |
48 |
|
49 |
-2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits |
50 |
+2. Primary key and the signing subkey are both of type RSA, 2048 bits |
51 |
(OpenPGP v4 key format or later) |
52 |
|
53 |
3. Key expiration renewal: |
54 |
-- |
55 |
2.18.0 |