RSA keys for encryption and in general DSA/RSA/ElGamal-keypairs
Atom 'Smasher'
atom at suspicious.org
Fri Jun 18 08:39:11 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 18 Jun 2004, Ulrich Schneider wrote:
> Thanks, that was very helpful.
>
> Besides ... is there a doku how to replace the enc. key with another
> enc. key of higher key length when you want to have the same signature
> key?
==========================
you want to keep the (primary) signing key, and replace an encryption
subkey with something bigger?
you can create a new encryption (sub)key using "--edit-key", "addkey".
you have three options for what to do with the old key:
1) leave it. the default gpg behavior is to use the newest key it can
find. this means that your new key will be used when a gpg user encrypts a
message to you, and the old key will be ignored. i have no idea which
encryption subkey would be used by other pgp applications: if someone is
sending you an encrypted message, and they use MIT-PGP or PGPi, it ~might~
use the old encryption subkey... i don't know...
2) revoke it. in the edit-key menu, select the old key and "revkey".
that subkey still exists, and can be used to decrypt previously encrypted
messages, but anyone with a current copy of the key will not be able to
use that subkey for encryption.
3) delete it. in the edit-key menu, select the old key and "delkey".
that subkey no longer exists and can not be used to encrypt (or decrypt!!)
messages.
option #3 could be dangerous: you will not be able to read messages
encrypted with that subkey. if someone has on older copy of your key
(before you delete that subkey), they can encrypt a message to that subkey
and you will have no way to decrypt it. if your key has *NOT* been
circulated, then deleting the key might be a nice option; if/when you do
put your key into circulation, it won't have an unnecessary subkey in it.
i would recommended options #1 or #2 if your key is in circulation. anyone
could have an old copy of your key, and encrypt a message to a subkey that
is no longer current (but they might not know it). in either case, you
*will* be able to decrypt the message.
if you don't have any signatures on your key, and it's not widely used in
public, you might consider just creating a new key from scratch... make it
as big as you want.
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Proprietary software seeks to maximize its value
solely in monetary terms by achieving a monopoly.
Open Source software maximizes its value by assuring
that a monopoly cannot be achieved."
-- Mark Webbink, Senior Vice President and
General Counsel of Red Hat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iEYEARECAAYFAkDSjhUACgkQnCgLvz19QeOg9wCaAnwSvJX9OMdP2rRBPdnazTRv
BLkAoKWPe+PAJWvXILq5DuHucUsnNZm2
=m8R6
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list