Smartcard & expiring keys

[Alex Mauer]

Daniele Cortesi wrote:
> 
> Let's get to the point: the next year, when this new keys will expire, I
> will have to create new keys and to do this I'll have to replace the
> keys on the smartcard which are not saved elsewhere. This means that
> after that operation I won't be able to read past encrypted messages
> anymore, am I correct?

Correct.  For this reason I for one do not use an encryption key on a
smartcard; I use the smartcard only for signing and authentication.

This also applies to damage/loss of the smartcard: once that privkey is
gone you can't read emails encrypted with it.

At the very least, it's probably better to generate the key outside of
the smartcard and then import it.  This way in addition to still being
able to decrypt messages with an expired key, you also get a backup
(which is of course relatively easy to keep offline: keep it on a USB
key, print it out, whatever)

-Alex Mauer "hawke"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070510/d6376b76/attachment.pgp