Best practice for periodic key change?

Ingo Klöcker kloecker at
Fri May 6 21:48:03 CEST 2011

On Thursday 05 May 2011, Hauke Laging wrote:
> Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch:
> > A
> > period key change is problematic because it confuses those who want
> > to verify the signatures.
> > 
> > BTW, the prolongation of the expiration time has showed (by means
> > of a lot of complaining mails) that many folks don't refresh the
> > key from time to time with the goal to retrieve revocation
> > certificates.
> What is the difference between these two options with respect to the
> point of confusion?

Unless I'm missing something the difference is as follows:
- With prolongation of the expiration time releases signed before the 
prolongation will keep having a valid signature.
- If one creates a new subkey then releases signed with the old expired 
subkey(s) will have an invalid signature. One would have to re-sign the 
old releases with the new subkey.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110506/9e1a8305/attachment.pgp>

More information about the Gnupg-users mailing list