Best practice for periodic key change?

[Grant Olson]

On 5/5/11 2:52 AM, Andreas Heinlein wrote:
> Hello,
> 
> I hope you can give me some advice on the following problem:
> 
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot of well-known people and institutions,
> which means a considerable effort.
> 
> If we just regenerate the whole key every year, we would have to get all
> these signatures again. I have a feeling that generating new subkeys
> might be a solution, but I have never worked with subkeys before, so I
> thought you could give me some advice what would be the best thing to do.
> 
> Thanks,
> Andreas
> 

Some organizations create a master signing key, which is (supposedly)
kept secure and usually off-line.  That's used to sign the release keys.
 Then users sign the master key and/or see if the master key trusts the
key used to sign the release.

Like all the solutions proposed here, I have no idea how usable this
strategy is for people who try to verify software packages, but only
have a limited understanding of OpenPGP's trust model.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."