restoring a key

Alex Frenklakh afrenkla@globeop.com
Wed Oct 24 22:58:02 2001


thanks for your suggestions,

what i originally intended WAS to extend the life of the key.
It is a signature key, and i tried switching to it with

key "subkey number" 
and then do --expire..

gpg allowed me to do this, and didn't throw any errors, but
strangely enough the key was still listed as expired, with the orignal
expiration date (even tho i extended it to infinity).

at this point, being pressed for time i generated a new key pair and 
re-distributed public key to clients..


--
Alex Frenklakh
Developer
GlobeOp Financial Services
afrenkla@globeop.com <mailto:afrenkla@globeop.com>


-----Original Message-----
From: David Shaw [mailto:dshaw@jabberwocky.com]
Sent: Wednesday, October 24, 2001 1:41 PM
To: gnupg-users
Subject: Re: restoring a key


On Wed, Oct 24, 2001 at 07:14:22PM +0200, disastry@saiknes.lv.NO.SPaM.NET
wrote:

> > David Shaw wrote:
> > > > If it's a signing subkey that expired (probably not), you'll need to
> > > > select that subkey with "key the_subkey_number" before you type
> > > > "expire".
> > > > David
> > >
> > > if the signin subkey is expired, just generate new subkey.
> > 
> > Sure, but the question was how to do it without generating a new key.
> > There are several reasons why someone might want to extend the
> > lifetime of an existing key rather than generate a new one.
> 
> yes.. keys life, but I can't find reason to extend subkeys's life.

Neither of us know the situation and the threat model for the original
poster.  Again, he said he wanted to extend the life of the original
key *rather than* creating a new one.

> I doub't it is even possible (I have not tested however).
> RFC probably allows multiple subkey binding signatures (I'm not sure),
> but gpg does not handle 'em well.

It is possible, the RFC does allow it, and gpg handles it just fine.
I use this feature frequently.

> and if you extend keys (subkeys) life you'll sooner or
> later will end with several self (binding) signatures
> (because keyservers delete nothing)

Assuming he is using the keyservers.  In my work, I use signing
subkeys for embedded software authentication.  Those keys never hit
the keyservers either.  In any event, so what?  GnuPG handles multiple
binding signatures quite well.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------
+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson


----------------------------------------------------
This email with all information contained herein or attached hereto may
contain confidential and/or privileged information intended for the
addressee(s) only.  If you have received this email in error, please contact
the sender and immediately delete this email in its entirety and any
attachments thereto..