Best practice for periodic key change?

Grant Olson kgo at
Tue May 10 07:42:08 CEST 2011

On 5/10/2011 1:35 AM, Jerome Baum wrote:
> On Tue, May 10, 2011 at 07:30, Grant Olson <kgo at
> <mailto:kgo at>> wrote:
>     But there's no way to prove that the keys were originally generated
>     on-card, and weren't imported from a software private key where there
>     was never a separate master certification key.
> AFAIK, the CAs over here will just supply a card. There is no question
> of whether the key is generated on-card or not -- the CA confirms this
> implicitly with their certification of "this is a valid signing key per
> applicable signature laws". 

Okay, yeah, if the CA sets up the card, authenticates it with their
signing key, and ships it to you, then there would never be a separate
master key, no problem there.  I get the feeling the card won't like it
if you try to create a software signing key, but I'm not sure how that
will work.  I do have a spare card here if you want me to test this.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110510/6f225962/attachment.pgp>

More information about the Gnupg-users mailing list