Your keys do not meet minimal requirements set forth in GLEP 63 [1]. glep63-check [2] reports: B1404F91668D9B84 [Richard Yao (State University of New York at Stony Brook) <ryao@cs.stonybrook.edu>] [E] expire:long Expiration date is too long (is 2104-01-19 04:31:03, <3 years recommended, 5 years max) B1404F91668D9B84 [Richard Yao (State University of New York at Stony Brook) <ryao@cs.stonybrook.edu>] [E] subkey:none Having a dedicated signing subkey is required B1404F91668D9B84 [Richard Yao (State University of New York at Stony Brook) <ryao@cs.stonybrook.edu>] [W] uid:nogentoo @gentoo.org e-mail not in key UIDs 20EE1199BEE84C64 [Richard Yao (Gentoo Developer) <ryao@gentoo.org>] [E] expire:none No expiration date on public key (<3 years recommended, 5 years max) 20EE1199BEE84C64 [Richard Yao (Gentoo Developer) <ryao@gentoo.org>] [E] subkey:none Having a dedicated signing subkey is required So, I don't understand the purpose of the second key. If you aren't planning to commit with it, please remove it as it opens a completely unnecessary possibility of compromising gentoo.git. Also, please set *sane* expiration dates and create dedicated subkeys per GLEP 63 [1]. [1]:https://www.gentoo.org/glep/glep-0063.html [2]:https://github.com/mgorny/glep63-check
I still have control over the stonybrook.edu key, although I agree that it should be removed. I will remove my old university key from LDAP this evening when I am at my workstation. Both keys predate the GLEP and the maximum key length only matters if I lose control of my both my key and the revocation certificate, which is highly unlikely. I will set one after reviewing the GPG documentation to make sure that I don’t mess up. I’ll just update the expiration date every year and it will effectively be the same thing. By the way, the GLEP setting amaximum 5 year expiration length seems to be redundant because LDAP is able to revoke permissions for keys regardless of whether they have been formally revoked or expired.
Also, I’ll add a signing subkey too.
My @cs.stonybrook.edu key has been removed from LDAP. I'll revise my @gentoo.org key tomorrow. I want to be certain that I do it the right way. Doing things like this at night is usually does not end well as far as doing things the right way is concerned.
I have pushed an updated key to the key server. glep63-check now says: 20EE1199BEE84C64 [Richard Yao (Gentoo Developer) <ryao@gentoo.org>] [W] expire:long Expiration date is long (is 2023-07-05 20:10:17, <3 years recommended) Also, the shebang for glep63-check should be `#!/usr/bin/env python3`. Regular python is python 2.7 on my system, which doesn't support this script. My PGP key is now in compliance with GLEP 63, so I am closing this as fixed.
