rotating encryption sub keys
faramir.cl at gmail.com
Fri Aug 28 08:37:02 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
David Shaw escribió:
> Incidentally, there have been proposals to add forward security
> extensions to OpenPGP. See http://www.apache-ssl.org/openpgp-pfs.txt
As a side note, I am not sure I like these proposals...
"Therefore when a public
encryption key expires, an OpenPGP client MUST securely wipe the
corresponding private key ."
What if I want to be able to decrypt an old email message? If my
encryption key was compromised, and my messages were sniffed, I get no
advantage in deleting my copy of the key and the messages, the attacker
has his own copy of them, and surely won't delete them.
"2.2 Key surrender
Before an OpenPGP client exports a private key as plaintext, the
associated public key MUST be revoked and redistributed. A "reason
for revocation" signature subpacket MUST be included in the key
revocation specifying "Key material has been compromised" (value
That would prevent the storage a paperkey backup of the key, if the
key doesn't have a passphrase (which could be a good idea, if we assume
paper allow long term storage, and maybe in 10 years I won't remember
the passphrase I was using at the time I made the backup). Of course
that paper backup should be stored in a safe or something like that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Gnupg-users