Best practice for periodic key change?

Daniel Kahn Gillmor dkg at
Tue May 10 06:18:15 CEST 2011

On 05/10/2011 12:01 AM, Jerome Baum wrote:
> c) Program the smart-card so it doesn't sign sub-keys? I'm not familiar with
> the internals of smart-card implementations but the OpenPGP sub-key
> signatures are of a different type than the data signatures. The smart-card
> can probably recognize if it's inadvertently signing a sub-key.

I doubt it -- the bytestring signed during OpenPGP key+userid
certifications has a different prefix than the bytestring signed during
a data signature.

But i think the data signed by a hardware implementation is a digest of
the bytestring, not the bytestring itself.  I don't think a smartcard
would be able to tell the prefix of the underlying bytestring from the
digest it receives as a signature request.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110510/71f32efa/attachment.pgp>

More information about the Gnupg-users mailing list