Re: Security guidelines for Debian people
Henrique de Moraes Holschuh <hmh@debian.org> writes:
> One thing we have not talked about, is that of subkey validity. It is
> not that kosher to have anything signed in stable with a subkey which
> will not be valid for the lifetime of stable, so we should keep that in
> mind.
I currently use a one year expiration time on the signing subkey and then
extend it every six months (and do something similar with the encryption
subkey and the main key, except use two years). The idea is that if
something particularly serious happens to me such that I can't make use of
my revocation certificate, the exposure time for the key is at least
partly limited. I think that's still consistent with using that key to
sign source packages in stable; either it will be extended, or something
really bad happened and even stable users should probably know that.
Back before I knew what I was doing with PGP, I created a key without a
pre-generated revocation certificate and then ended up, over the years,
forgetting the passphrase (I was sure I knew what it was, but it doesn't
work). That key, 0x56E8F739, is still floating around out there and I
can't make it go away, whereas if I'd set an expiration date on it from
the start and extended it periodically, it would have expired now and it
would be clear that it's no longer my key.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: