[Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key <distribution-key at intevation.de>"
Robert.stampfler at etsmtl.ca
Robert.stampfler at etsmtl.ca
Tue Aug 6 13:15:44 CEST 2019
Hi
Could you unsubscribe me from thé distribution list ?
Thank you !
robert.stampfler at etsmtl.ca
Envoyé de mon iPhone
> Le 6 août 2019 à 04:27, Andre Heinecke <aheinecke at gnupg.org> a écrit :
>
> Hi,
>
>> On Monday 5 August 2019 15:18:01 CEST Thomas Arendsen Hein wrote:
>> But for the following scenario this fails:
>> 1. Gpg4win version x.y.1 is released in January 2020, signed by the 2016
> key.
>> 2. Intevation creates a new distribution key in February 2020 and
>> uploads it to the WKD, replacing the 2016 key.
>> 3. The next Gpg4win release x.y.2 will be released in April 2020.
>> -> There are 2-3 months where even the newest release can't be
>> verified by a key retrieved from WKD.
>
> Yes, in that case Intevation should only update the key together with a
> release. It is a bit problematic but happily such a key rollover does not
> happen much.
>
>>> The old key is still used by some "historic" apt repositories that
> intevation
>>> still publishes, so it should not be revoked.
>>
>> And old Gpg4win releases (including sources!) are signed by the old
>> key, too, so revoking it would make verifying the integrity harder.
>> (now this will be for releases that are at least 3 years old, but
>> when the next rollover happens this will be for quite recent
>> releases)
>
> This depends a bit on how you handle key rollover in the GUI. For example
> Kleopatra does show it yellow if a key is expired. It says "Valid signature
> but the key has expired" which I find O.K.
>
>> And as indicated above, this does not only affect our distribution
>> key, but key rollover for other users as well where a new key should
>> be used for new correspondence, but the old key should continue to
>> be available to verify recent correspondence signed by the previous
>> key.
>
> Again, depends a bit on the GUI. I know that KMail at least in old version
> would show that bloody red for expired / revoked keys. But IMO at least expiry
> is "not so bad" because of the above mentioned reasons. And at some point we
> will have to expired the 1024 bit key to show "Don't trust it too much
> anymore". That happens next year and is the right thing.
>
> Btw. I think that the rsa3072 key can have it expiry extended to at least
> 2026. So that it will have been in use for 10 years like the old key. And this
> should not happen at the last moment. I do not see much reason currently to
> switch to ECC as for a rare file verification there are no real performance
> reasons and the security of rsa3072 is still very good.
>
>
> Best Regards,
> Andre
>
> --
> GnuPG.com - a brand of g10 Code, the GnuPG experts.
>
> g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
> GF Werner Koch, USt-Id DE215605608, www.g10code.com.
>
> GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf
> Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org
> Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
More information about the Gpg4win-users-en
mailing list