Best practice for periodic key change?
Grant Olson
kgo at grant-olson.net
Tue May 10 07:42:08 CEST 2011
On 5/10/2011 1:35 AM, Jerome Baum wrote:
> On Tue, May 10, 2011 at 07:30, Grant Olson <kgo at grant-olson.net
> <mailto:kgo at grant-olson.net>> wrote:
>
> But there's no way to prove that the keys were originally generated
> on-card, and weren't imported from a software private key where there
> was never a separate master certification key.
>
>
> AFAIK, the CAs over here will just supply a card. There is no question
> of whether the key is generated on-card or not -- the CA confirms this
> implicitly with their certification of "this is a valid signing key per
> applicable signature laws".
>
Okay, yeah, if the CA sets up the card, authenticates it with their
signing key, and ships it to you, then there would never be a separate
master key, no problem there. I get the feeling the card won't like it
if you try to create a software signing key, but I'm not sure how that
will work. I do have a spare card here if you want me to test this.
--
Grant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110510/6f225962/attachment.pgp>
More information about the Gnupg-users
mailing list