On Tue, 23 Jan 2024 at 21:36, Theodore Ts'o <tytso@xxxxxxx> wrote:
>
> If we told those people who wantg to pursue key rotation to just
> always upload keys to the Kernel keyring [..]
As long as the keys exist in the kernel.org keyring, it's all good.
That said, I still claim that nobody has *ever* had a valid and
meaningful reason to have expiry dates, so I want to stop you right
there when you talk about "people who want to pursue key rotation".
The absolute *first* thing you should tell those people is "Why? Don't
bother, it's just added pain for no gain".
It's like revocation keys. To a very close approximation, never in the
history of the universe have they been useful and meaningful.
The fact that the keyservers don't even work any more have made them
even less so, since now the revocations will never really spread
anyway.
So no. Let's not encourage people to do this silly thing.
If you ABSOLUTELY HAVE TO have expiration dates and other silly games,
yes, I will complain if I can't then easily get your key from the
single reliably working remaining setup.
But if you cannot explain exactly why you absolutely need to do it and
have some external entity that forces you to do silly things ("Your
daughter has been kidnapped, and you're not Liam Neeson"), the answer
should not be "remember to update the key at kernel.org", but simply a
plain "DON'T".
Linus
