Renewing expiring key - done correctly?
Hauke Laging
mailinglisten at hauke-laging.de
Tue Dec 3 23:44:20 CET 2013
Am Di 03.12.2013, 08:22:28 schrieb Eric Poellinger:
> PRIMARY QUESTIONS - I am uncertain about the sub-key. When I attempt to
> 'expire' it the date does not seem to change.
What exactly did you do? Did you mark the subkey before and did you save the
changes to the keyring after the expire command?
gpg> key 1
pub 3072R/0x711D8152 created: 2013-11-27 expires: 2014-11-27 usage: SCE
trust: ultimate validity: ultimate
sub* 2048R/0x48C7F0CD created: 2013-11-27 expires: 2015-12-03 usage: S
[...]
gpg> save
> Maybe you cannot expire a sub-key?
You can.
> SECONDARY QUESTION - is there documentation regarding 'best practices' on
> managing expiring keys and renewing via sub-keys --- my theory is that
> doing it this way minimizes the coordination necessary but I am not
> understanding how it works if you have multiple trading partners to
> coordinate with.
Expiration serves two purposes:
1) Passively revoke a key if you have lost access to the secret mainkey (i.e.
to the key itself or to its passphrase).
2) Force your communication partners (people are lazy) to update your
certificate from time to time (requires some understanding on their side).
The length of the validity period is a compromise between higher "security"
and less inconvenience (your own, too).
I am not sure whether I understand correctly what you mean by "renewing". You
can prolong the validity of subkeys and you can replace subkeys. It's not a
big difference for your communication partners. Replacing subkeys for security
reasons makes real sense only if you use a secure offline mainkey.
Usually you upload your certificate (public key) to a key server (or more)
from where everyone can get updates of your certificate.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131203/f8b6453c/attachment-0001.sig>
More information about the Gnupg-users
mailing list