Best practice for periodic key change?

Jerome Baum jerome at
Tue May 10 08:04:15 CEST 2011

On Tue, May 10, 2011 at 07:42, Grant Olson <kgo at> wrote:

> On 5/10/2011 1:35 AM, Jerome Baum wrote:
> > AFAIK, the CAs over here will just supply a card. There is no question
> > of whether the key is generated on-card or not -- the CA confirms this
> > implicitly with their certification of "this is a valid signing key per
> > applicable signature laws".
> >
> Okay, yeah, if the CA sets up the card, authenticates it with their
> signing key, and ships it to you, then there would never be a separate
> master key, no problem there.  I get the feeling the card won't like it
> if you try to create a software signing key, but I'm not sure how that
> will work.  I do have a spare card here if you want me to test this.

I see no possibility, from a theoretical perspective, of signing only
on-card keys (per signature laws) from a distance -- apart from some other
secret stored on the card. In either case, the CA needs to initialize the
card itself.

Jerome Baum

tel +49-1578-8434336
email jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110510/cf5b5978/attachment.htm>

More information about the Gnupg-users mailing list