Best practice for periodic key change?
kgo at grant-olson.net
Thu May 5 19:30:46 CEST 2011
On 5/5/11 2:52 AM, Andreas Heinlein wrote:
> I hope you can give me some advice on the following problem:
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot of well-known people and institutions,
> which means a considerable effort.
> If we just regenerate the whole key every year, we would have to get all
> these signatures again. I have a feeling that generating new subkeys
> might be a solution, but I have never worked with subkeys before, so I
> thought you could give me some advice what would be the best thing to do.
Some organizations create a master signing key, which is (supposedly)
kept secure and usually off-line. That's used to sign the release keys.
Then users sign the master key and/or see if the master key trusts the
key used to sign the release.
Like all the solutions proposed here, I have no idea how usable this
strategy is for people who try to verify software packages, but only
have a limited understanding of OpenPGP's trust model.
"I am gravely disappointed. Again you have made me unleash my dogs of war."
More information about the Gnupg-users