Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113918 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 80660 invoked from network); 1 Apr 2021 16:26:25 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 1 Apr 2021 16:26:25 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4674B1804D0 for ; Thu, 1 Apr 2021 09:24:13 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 1 Apr 2021 09:24:12 -0700 (PDT) Received: by mail-lf1-f50.google.com with SMTP id i26so3692299lfl.1 for ; Thu, 01 Apr 2021 09:24:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jGsHRBEDZAqQh6B2SfMis8EU5fgGQTL89Z25tUkKPA0=; b=CKYl7CYEuijhOfme5YYJqAGOA26wgDBrEXBDAcuU4Xa8wCREzIcUyGG055S7Gbt7LT fikBsMr4JrEgBlLAfSHVxkdVQU6mq8Xdgt9COZhFCE9RKBITScwx/BWhQ6I/75VY+t6V wSwjC7nemTfqAIGkc1yuepOnssx01NsPg3bwE2Iotu3t3xCZvniKsPDzQ80N1nQWJq2j YPVE5vZnY2GG+qT4DGM7EXF6jScVIbIT6IF3AdMVLldketCMO7WwoXMxz1OoJ+twcqS6 jQkSJxpJtJPxL841J/1ppEuZlCMjOYglJQGb+sciWwoGaCzr0woNWJSmcE3qj4Jvxf6h uzew== X-Gm-Message-State: AOAM532VXwzv+4YzDoPtKokvFAV9xjO+nViUkgbEtgag+AWTS7FskfqS UWXKlJdwfrdFUN0kDFWxROnKLIOD/wQvJ5vcGl2N6naiBLCovpyq X-Google-Smtp-Source: ABdhPJwrqFBaCHljYY3NmIiHHks/KONSylM/eha8kdJnpioCcVqIt5oiq6WYqDI+2tgWjFONweUp2jmHiQ9a2RfpiMQ= X-Received: by 2002:ac2:5052:: with SMTP id a18mr5740128lfm.55.1617294250430; Thu, 01 Apr 2021 09:24:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 1 Apr 2021 11:23:59 -0500 Message-ID: To: Rowan Tommins Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000004b68cb05beeba947" Subject: Re: [PHP-DEV] Changes to Git commit workflow From: pollita@php.net (Sara Golemon) --0000000000004b68cb05beeba947 Content-Type: text/plain; charset="UTF-8" On Thu, Apr 1, 2021 at 11:19 AM Rowan Tommins wrote: > On 01/04/2021 15:59, Sara Golemon wrote: > > On Thu, Apr 1, 2021 at 9:21 AM Bishop Bettini > > wrote: > > > > I also added a FAQ. > > > > > > I disagree with the position this document takes on immortal keys. We > > should encourage best-practices with the knowledge that some people > > will weaken their security with an immortal key, not start from a weak > > position and suggest that adhering to best practices is "paranoid". > > > I've been looking around, and most of what I can find says that expiring > a primary key which you use directly for signing has very little value, > because anyone who has the private key and passphrase can change the > expiry date at any time. See for example: > https://security.stackexchange.com/q/14718/51961 > > The main use case seems to be when using sub-keys, where the primary key > (with no expiry) is kept offline, and new sub-keys are generated from it > regularly (e.g. once a year) with an appropriate expiry date. > > This is based only on a few hours of searching online, however, so I'd > be happy to see a better explanation of how to use expiry effectively. > > Yeah, I just got told the same offline. That's.... depressing. Not surprising when one thinks about it more, but still depressing. -Sara --0000000000004b68cb05beeba947--