restoring a key

David Shaw dshaw@jabberwocky.com
Wed Oct 24 19:43:01 2001


--ZoaI/ZTpAVc4A5k6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 24, 2001 at 07:14:22PM +0200, disastry@saiknes.lv.NO.SPaM.NET w=
rote:

> > David Shaw wrote:
> > > > If it's a signing subkey that expired (probably not), you'll need to
> > > > select that subkey with "key the_subkey_number" before you type
> > > > "expire".
> > > > David
> > >
> > > if the signin subkey is expired, just generate new subkey.
> >=20
> > Sure, but the question was how to do it without generating a new key.
> > There are several reasons why someone might want to extend the
> > lifetime of an existing key rather than generate a new one.
>=20
> yes.. keys life, but I can't find reason to extend subkeys's life.

Neither of us know the situation and the threat model for the original
poster.  Again, he said he wanted to extend the life of the original
key *rather than* creating a new one.

> I doub't it is even possible (I have not tested however).
> RFC probably allows multiple subkey binding signatures (I'm not sure),
> but gpg does not handle 'em well.

It is possible, the RFC does allow it, and gpg handles it just fine.
I use this feature frequently.

> and if you extend keys (subkeys) life you'll sooner or
> later will end with several self (binding) signatures
> (because keyservers delete nothing)

Assuming he is using the keyservers.  In my work, I use signing
subkeys for embedded software authentication.  Those keys never hit
the keyservers either.  In any event, so what?  GnuPG handles multiple
binding signatures quite well.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--ZoaI/ZTpAVc4A5k6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6b (GNU/Linux)

iQEVAwUBO9b9Hoccwqs8s7QVAQE0QQf/aA1Hx87jqSUT9YFonbqo/k/VMZ9/biy9
GrLg4bzXxjB3XW/GLWMgiVpxOnePeO9d0iSAwZCpyySGVzLP790hmik0ysRCn25f
ZoYAT/Stsa6c+EES4GTPxbeghSatQ7FJ7tIBU/Pyj6Khbxs+0bFmuBDa2HyNQDmg
McRd8Amue6hzXdYlzeA/teJjnd8MeLHciLhPhtiM5sIJw3yeiYaLhhs5SiC9JRIx
NO5/wFk85fHxowXhKewy7Jx/0K4OJz9l3t23DVMOW7P637jsfK+3ZKqU/UrBJsTn
fYI5qwBZAtu/GX3jjTmNdxOOmkxUWXYfln7jD99/xsvFHSqvi0rukw==
=Sqmj
-----END PGP SIGNATURE-----

--ZoaI/ZTpAVc4A5k6--