Secret Key replacement
Joseph Oreste Bruni
jbruni at me.com
Wed Sep 2 06:41:34 CEST 2009
On Sep 1, 2009, at 10:51 AM, Seidl, Scott wrote:
> We use gnupg in an automated mode within the organization to encrypt/
> decrypt documents exchanged between companies. The Key Pair we have
> is expiring soon and I am replacing it with a new key pair. This
> new key would be provided to the other companies before the other
> expires.
>
> I have a couple questions about the existing public keys we have
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with
> the new secret key, is that correct?
> 2 – Is there any command to do a mass sign or must I do a gpg –u
> XXXXXXX --edit-key YYYYYYfor each key?
> 3 – What other items am I not thinking of?
>
> Thanks
>
> Scott Seidl
> seidls at schneider.com
>
One thing you could try is implement a corporate certification-only
key, used for certifying others' keys. You would have a second keypair
used for signing, encryption, and conducting regular business.
Your encryption keypair could expire as normal, but your certifying
key would not. Then you would set up your trust system to only trust
those keys signed by your corporate certification key.
Since your certification key doesn't expire (or at least not as
frequently), you would save yourself the trouble of having to re-
certify all your partners' keys.
-Joe
More information about the Gnupg-users
mailing list