1 |
On Mon, Nov 11, 2013 at 12:38:47PM +0100, Andreas K. Huettel wrote: |
2 |
> However, another question is whether to require a signing *subkey*. The cards |
3 |
> have (as far as I understand it) only one sign/cert key store, meaning they |
4 |
> can either hold the main key or the signing subkey, but never both. |
5 |
> http://dilfridge.blogspot.de/2013/05/openpgp-smartcards-and-gentoo-part-2.html |
6 |
Nothing in my proposal required a signing subkey. See the min |
7 |
requirement vs the recommendation. To take the recommendations into a |
8 |
smartkey environment isn't entirely practical. |
9 |
|
10 |
I think if that the key in the sign/cert slot, be it a subkey or the |
11 |
main key, should be valid to use for Gentoo signing. |
12 |
|
13 |
I see 3 variations of developer: |
14 |
1. Those with long-standing existing keys, that hopefully meet the min |
15 |
requirement. It would be nice to encourage them to migrate over time. |
16 |
2. New Software keys: New devs, existing devs rekeying |
17 |
3. New Hardware keys: New devs, existing devs rekeying or migrating |
18 |
|
19 |
The GLEP has to make all 3 groups happy, hence the breakdown between the |
20 |
requirement and the recommendation. My own key is more than a decade |
21 |
old, and has an extensive trust network. I do need to fully rotate it |
22 |
sometime soon, but I want this GLEP to be finalized first. Sadly I don't |
23 |
think I'll ever manage to meet all of the same people again to certify |
24 |
my key. |
25 |
|
26 |
-- |
27 |
Robin Hugh Johnson |
28 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
29 |
E-Mail : robbat2@g.o |
30 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |