jcgruenhage/openpgp-key-janitor
1
0
Fork 0
Code Issues 2 Pull requests Packages Projects Releases Wiki Activity

feat: updating expiry #2

New issue
Open
opened 2023-05-30 19:20:49 +00:00 by jcgruenhage · 0 comments
jcgruenhage commented 2023-05-30 19:20:49 +00:00
Owner
Copy link

Besides key signing/certification and UID changes, expiration updates are the most common kind of OpenPGP "maintenance".

Design wise, the goal here is so that you don't have to change the spec for expiry updates at all. There's a threshold defined in the spec, and if the validity falls under that threshold, it's gonna be extended by one validity_period. This way, if the validity_period is 2 years for example, the threshold is 3 months, and you use openpgp-key-janitor 22 months after initial key creation, it's going to be extended to creation + 2 * validity_period, so 48 months, and running it after 47 months will make it end up creation + 3 * validity_period, so 72 months.

This choice has been made so that maintaining a large amount of keys for example for a company becomes easier, as you can then run openpgp-key-janitor for every key without thinking about it too much, before then publishing all pubkeys that have changed during that.

Besides key signing/certification and UID changes, expiration updates are the most common kind of OpenPGP "maintenance". Design wise, the goal here is so that you don't have to change the spec for expiry updates at all. There's a threshold defined in the spec, and if the validity falls under that threshold, it's gonna be extended by one validity_period. This way, if the validity_period is 2 years for example, the threshold is 3 months, and you use `openpgp-key-janitor` 22 months after initial key creation, it's going to be extended to creation + 2 \* validity_period, so 48 months, and running it after 47 months will make it end up creation + 3 \* validity_period, so 72 months. This choice has been made so that maintaining a large amount of keys for example for a company becomes easier, as you can then run openpgp-key-janitor for *every* key without thinking about it too much, before then publishing all pubkeys that have changed during that.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jcgruenhage/openpgp-key-janitor#2
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?