multiple subkeys and key transition
Robert J. Hansen
rjh at sixdemonbag.org
Fri Dec 10 05:32:08 CET 2010
On 12/9/2010 5:51 PM, John Clizbe wrote:
> I just created new keys after almost 8 years, my old key was 1024D/2048ElG. The
> new keys are 2048-DSA2/2048-RSA and a 3x2048-RSA OpenPGP card.
My personal opinion -- can't back it up with anything more than my own
meandering experience -- is that many OpenPGP users are way too attached
to their certificates.
Sooner or later you *will* have a key compromise event, you *will* need
to revoke keys in a hurry and you *will* need to find some way to
re-establish a WoT with your core correspondents. The question is not
if, the question is only when.
If you never revoke-and-reissue certs (perhaps out of a desire to
preserve your WoT), then when the time comes not only are you going to
be stressed out and not thinking clearly, but you'll be performing a
task that's unfamiliar to you. This isn't something I'd think wise.
Every couple of years I open a binder, flip to the Cert Revocation
Checklist, and go down the list. It's a dry run for a for-real event.
By the end of the event I've discovered places the checklist fails and
needs to be fixed, found "oh, heck, Bob's entered my WoT since I last
wrote this, I need to update that!", etc., etc.
The one time I've needed my Cert Rev Checklist for-real, I was really
glad I had it.
I find this to be a useful exercise. Your mileage may, and probably
will, vary. If you have a very well-developed WoT and don't want to
jeopardize breaking other people's WoTs, then you might not want to do
More information about the Gnupg-users