Conversation

Jarkko Sakkinen

Sometimes I feel that I'd like migrate my certificate key some day from the current RSA-4096 to ED-25519.

Can I bless the trust to the new certificate key or do I actually have to fucking meet F2F other kernel maintainers? ;-)

#linux #kernel #pgp
2
2
0

Jarkko Sakkinen

Edited 7 days ago
The reason being the key length. Right, and I also would like to re-parent my subkeys if I ever do that.
2
0
0

@jarkko why do you need to bringnover the subkeys?

1
0
0
@andrewg Less migration in one shot :-) I could create new ones if that is impossible but then I need to update e.g. my authentication key in a number of places.
1
0
0

@jarkko I think sequoia supports adoption of old subkeys, but I haven't tried it myself. Migration to new pgp keys is still very much WIP... 😳

1
0
0
@andrewg Yeah, so I'm also pro-actively worried about web of trust in this case, as unless I can migrate trust to a new ceritficate key, it is impossible to use it in future new subkeys e.g. for signing Git tags for Linux kernel.
2
0
0

@jarkko sq key rotate will do most of the heavy lifting including cross certifying and replaying certifications that you made.

https://sequoia-pgp.gitlab.io/sequoia-sq/man/sq-key-rotate.1.html

1
0
1
@andrewg Or if I revoke my old certificate key, also my legacy subkeys will have problems sooner or later. That would leave me in a situation being in-between the "crypto subspaces".
0
0
0
@nwalfield I'll experiment. Never tried sequioa before but have heard good things about it, thanks for pointing these two commands out!
0
0
0

@jarkko I'm currently working on a draft spec that does just this, but nobody has implemented it yet. If this would be of use to kernel developers, I'd be happy to mention it, to encourage the implementers... https://datatracker.ietf.org/doc/draft-ietf-openpgp-replacementkey/

1
0
1
@andrewg Thanks much appreciated! I will check this out, thank you. But might take a few weeks, but I put that to my unofficial employer agnostic backlog ;-)

I have one IETF implementation in progress that I should some day finish up for TPM2 bits:

https://datatracker.ietf.org/doc/draft-woodhouse-cert-best-practice/

I've started v8 of this but other stuff got in the way:

https://lore.kernel.org/linux-integrity/20240528210823.28798-1-jarkko@kernel.org/

Not forgotten tho, sometimes things just take a bit of time :-)
1
0
0
@andrewg,
@nwalfield I did not expect anything to this, and got so much great feedback, thank you!
1
0
1
@andrewg @nwalfield And you really know how to pitch your software.

Usually it is like "look I made this better version of this tool with Rust" or something, and not pointing out the exact features that help to solve a particular problem (and more often than not you end up finding that the particular tool cannot resolve your problem).

This type doing right things right is rare today (unfortunately).
0
0
0