multiple subkeys and key transition

Robert J. Hansen rjh at
Fri Dec 10 05:32:08 CET 2010

On 12/9/2010 5:51 PM, John Clizbe wrote:
> I just created new keys after almost 8 years, my old key was 1024D/2048ElG. The
> new keys are 2048-DSA2/2048-RSA and a 3x2048-RSA OpenPGP card.

My personal opinion -- can't back it up with anything more than my own
meandering experience -- is that many OpenPGP users are way too attached
to their certificates.

Sooner or later you *will* have a key compromise event, you *will* need
to revoke keys in a hurry and you *will* need to find some way to
re-establish a WoT with your core correspondents.  The question is not
if, the question is only when.

If you never revoke-and-reissue certs (perhaps out of a desire to
preserve your WoT), then when the time comes not only are you going to
be stressed out and not thinking clearly, but you'll be performing a
task that's unfamiliar to you.  This isn't something I'd think wise.

Every couple of years I open a binder, flip to the Cert Revocation
Checklist, and go down the list.  It's a dry run for a for-real event.
By the end of the event I've discovered places the checklist fails and
needs to be fixed, found "oh, heck, Bob's entered my WoT since I last
wrote this, I need to update that!", etc., etc.

The one time I've needed my Cert Rev Checklist for-real, I was really
glad I had it.

I find this to be a useful exercise.  Your mileage may, and probably
will, vary.  If you have a very well-developed WoT and don't want to
jeopardize breaking other people's WoTs, then you might not want to do
this.  :)

More information about the Gnupg-users mailing list