Using subkeys to renew an expiring key

SeidlS at schneider.com SeidlS at schneider.com
Tue Aug 29 16:36:26 CEST 2006


> On Mon, 2006-08-28 at 15:22 -0500, SeidlS at schneider.com wrote:
>
> > I have two questions regarding how to "renew" this key.
> > 1) Is the correct way to renew the key to add another subkey that
expires
> > in September, 2007, or is there a better way?
>
> I do not know of a better way, so my answer would be yes, it's the
> correct way.
>
> > 2) If we do add another subkey that expires in September, 2007, how
well
> > will the two subkeys work together?  It's going to be difficult to get
> > everyone to convert to the updated key in the same day, so we won't be
able
> > to revoke the subkey at the same time we generate the new one.
Another
> > way to say this, we may be encrypting a file with the subkey added,
while
> > one or more organization may be using the old key (without the new
subkey)
> > and one or more organizations may be using the new key (with the new
> > subkey).  Will this work correctly??
>
> Those who update will start encrypting to the new key, while those who
> don't will keep encrypting with the old one until it expires (once it
> does expire, they won't be able to encrypt at all until fetching the new
> one). In either case, you will still be able to decrypt messages
> encrypted to any of those keys, as long as you have the secret
> keymaterials, since these do not expire nor get revoked, only public
> keys do.


Your talking about document inbound to my process, encrypted by the other
organizations.  That should work without an issue as you pointed out, but
what about the outbound process?  In that instance we would be encrypting
the file and sending it to the other organizations to be decrypted... would
those orgainzations that haven't updated to the new key have problems
decrypting the file?

-Scott




>
> > Are there any other concerns that are being overlooked?
> --
> Saludos
> Gonzalo
> [attachment "signature.asc" deleted by Scott Seidl/Schneider]
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users




More information about the Gnupg-users mailing list