[Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key <distribution-key at intevation.de>"

Thomas Arendsen Hein thomas at intevation.de
Mon Aug 5 15:18:01 CEST 2019


* Andre Heinecke <aheinecke at gnupg.org> [20190805 14:17]:
> On Monday 5 August 2019 13:32:33 CEST Thomas Arendsen Hein wrote:
> > Andre, do you think it would be helpful to keep old keys available
> > via WKD? If yes, either the WKD RFC needs to be adjusted (which
> > possibly can be helpful for people having multiple keys, too, e.g.
> > ed25519 and a more compatible fallback rsa3072 key, or during key
> > rollover when emails are still signed with the old key, but a new
> > key already is available) or we need to use different email
> > addresses, e.g. distribution-key+2016 at ... for a key generated in
> > 2016.
> 
> No, since 2019 Gpg4win longer signs using the old key and I think since 2016 
> we signed with both keys to deprecate the old one, so I think just having the 
> new key available is completely fine. E.g. If we were to rollover to a new key 
> I would sign for some time using both keys but then I would only want to 
> publish the new, stronger key.

But for the following scenario this fails:
1. Gpg4win version x.y.1 is released in January 2020, signed by the 2016 key.
2. Intevation creates a new distribution key in February 2020 and
   uploads it to the WKD, replacing the 2016 key.
3. The next Gpg4win release x.y.2 will be released in April 2020.
-> There are 2-3 months where even the newest release can't be
   verified by a key retrieved from WKD.

> The old key is still used by some "historic" apt repositories that intevation 
> still publishes, so it should not be revoked.

And old Gpg4win releases (including sources!) are signed by the old
key, too, so revoking it would make verifying the integrity harder.
(now this will be for releases that are at least 3 years old, but
when the next rollover happens this will be for quite recent
releases)

And as indicated above, this does not only affect our distribution
key, but key rollover for other users as well where a new key should
be used for new correspondence, but the old key should continue to
be available to verify recent correspondence signed by the previous
key.

Regards,

Thomas

-- 
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20190805/b51450c8/attachment.sig>


More information about the Gpg4win-users-en mailing list