[Gpg4win-users-en] WKD for OpenPGP certificate "Intevation File Distribution Key <distribution-key at intevation.de>"

Robert.stampfler at etsmtl.ca Robert.stampfler at etsmtl.ca
Tue Aug 6 13:15:44 CEST 2019


Could you unsubscribe me from thé distribution list ?

Thank you !

robert.stampfler at etsmtl.ca

Envoyé de mon iPhone

> Le 6 août 2019 à 04:27, Andre Heinecke <aheinecke at gnupg.org> a écrit :
> Hi,
>> On Monday 5 August 2019 15:18:01 CEST Thomas Arendsen Hein wrote:
>> But for the following scenario this fails:
>> 1. Gpg4win version x.y.1 is released in January 2020, signed by the 2016 
> key.
>> 2. Intevation creates a new distribution key in February 2020 and
>>   uploads it to the WKD, replacing the 2016 key.
>> 3. The next Gpg4win release x.y.2 will be released in April 2020.
>> -> There are 2-3 months where even the newest release can't be
>>   verified by a key retrieved from WKD.
> Yes, in that case Intevation should only update the key together with a 
> release. It is a bit problematic but happily such a key rollover does not 
> happen much.
>>> The old key is still used by some "historic" apt repositories that 
> intevation 
>>> still publishes, so it should not be revoked.
>> And old Gpg4win releases (including sources!) are signed by the old
>> key, too, so revoking it would make verifying the integrity harder.
>> (now this will be for releases that are at least 3 years old, but
>> when the next rollover happens this will be for quite recent
>> releases)
> This depends a bit on how you handle key rollover in the GUI. For example 
> Kleopatra does show it yellow if a key is expired. It says "Valid signature 
> but the key has expired" which I find O.K.
>> And as indicated above, this does not only affect our distribution
>> key, but key rollover for other users as well where a new key should
>> be used for new correspondence, but the old key should continue to
>> be available to verify recent correspondence signed by the previous
>> key.
> Again, depends a bit on the GUI. I know that KMail at least in old version 
> would show that bloody red for expired / revoked keys. But IMO at least expiry 
> is "not so bad" because of the above mentioned reasons. And at some point we 
> will have to expired the 1024 bit key to show "Don't trust it too much 
> anymore". That happens next year and is the right thing.
> Btw. I think that the rsa3072 key can have it expiry extended to at least 
> 2026. So that it will have been in use for 10 years like the old key. And this 
> should not happen at the last moment. I do not see much reason currently to 
> switch to ECC as for a rare file verification there are no real performance 
> reasons and the security of rsa3072 is still very good. 
> Best Regards,
> Andre
> -- 
> GnuPG.com - a brand of g10 Code, the GnuPG experts.
> g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
> GF Werner Koch, USt-Id DE215605608, www.g10code.com.
> GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
> Vorstand: W.Koch, M.Gollowitzer, A.Heinecke.    Mail: board at gnupg.org
> Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-2104-4938799
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en

More information about the Gpg4win-users-en mailing list