| 1 |
On Mon, Nov 11, 2013 at 12:38:47PM +0100, Andreas K. Huettel wrote: |
| 2 |
> However, another question is whether to require a signing *subkey*. The cards |
| 3 |
> have (as far as I understand it) only one sign/cert key store, meaning they |
| 4 |
> can either hold the main key or the signing subkey, but never both. |
| 5 |
> http://dilfridge.blogspot.de/2013/05/openpgp-smartcards-and-gentoo-part-2.html |
| 6 |
Nothing in my proposal required a signing subkey. See the min |
| 7 |
requirement vs the recommendation. To take the recommendations into a |
| 8 |
smartkey environment isn't entirely practical. |
| 9 |
|
| 10 |
I think if that the key in the sign/cert slot, be it a subkey or the |
| 11 |
main key, should be valid to use for Gentoo signing. |
| 12 |
|
| 13 |
I see 3 variations of developer: |
| 14 |
1. Those with long-standing existing keys, that hopefully meet the min |
| 15 |
requirement. It would be nice to encourage them to migrate over time. |
| 16 |
2. New Software keys: New devs, existing devs rekeying |
| 17 |
3. New Hardware keys: New devs, existing devs rekeying or migrating |
| 18 |
|
| 19 |
The GLEP has to make all 3 groups happy, hence the breakdown between the |
| 20 |
requirement and the recommendation. My own key is more than a decade |
| 21 |
old, and has an extensive trust network. I do need to fully rotate it |
| 22 |
sometime soon, but I want this GLEP to be finalized first. Sadly I don't |
| 23 |
think I'll ever manage to meet all of the same people again to certify |
| 24 |
my key. |
| 25 |
|
| 26 |
-- |
| 27 |
Robin Hugh Johnson |
| 28 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 29 |
E-Mail : robbat2@g.o |
| 30 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives