Using subkeys to renew an expiring key

Gonzalo Bermúdez gonzalob at
Tue Aug 29 01:12:32 CEST 2006

On Mon, 2006-08-28 at 15:22 -0500, SeidlS at wrote:

> I have two questions regarding how to "renew" this key.
> 1) Is the correct way to renew the key to add another subkey that expires
> in September, 2007, or is there a better way?

I do not know of a better way, so my answer would be yes, it's the
correct way.

> 2) If we do add another subkey that expires in September, 2007, how well
> will the two subkeys work together?  It's going to be difficult to get
> everyone to convert to the updated key in the same day, so we won't be able
> to revoke the subkey at the same time we generate the new one.   Another
> way to say this, we may be encrypting a file with the subkey added, while
> one or more organization may be using the old key (without the new subkey)
> and one or more organizations may be using the new key (with the new
> subkey).  Will this work correctly??

Those who update will start encrypting to the new key, while those who
don't will keep encrypting with the old one until it expires (once it
does expire, they won't be able to encrypt at all until fetching the new
one). In either case, you will still be able to decrypt messages
encrypted to any of those keys, as long as you have the secret
keymaterials, since these do not expire nor get revoked, only public
keys do.

> Are there any other concerns that are being overlooked?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 323 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20060828/e93a57a0/attachment.pgp

More information about the Gnupg-users mailing list