Mainkey with many subkeys??
2014-667rhzu3dc-lists-groups at riseup.net
Tue Dec 9 00:49:07 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 8 December 2014 at 6:48:23 PM, in
<mid:5485F277.3020709 at web.de>, Tomo Ruby wrote:
> as I wrote in the mail from Sun Dec 7 22:38:03 CET
> 2014: I know I could just set a new expiration date but
> most times it's recommended to use a key for two years
> at the longest.
Recommended by whom and against what threat model? And, really, the
same lifespan for signing keys as for encryption keys?
I use the supermarket approach to advice: only pick up what I need at
the time. My take on the advice I have most often seen in previous
discussions is to set fairly short expiry dates, and make the decision
whether to replace it or extend its life when the expiry date is
approaching. This gives you an opportunity to review the current state
of your tools, and best practices.
> So if I start counting I end up like
> this: One subkey for authentication, one for signing
> and one for encryption. This makes three new keys every
> two years...
OK, it would, but do you really need them all? If you use subkeys for
each of those three capabilities, have you determined that in all
three cases your threat model requires a new subkey every two years?
> I really don't understand why everyone has only so few
Because they do not follow the recommendations you have taken on
A lot of keys are created without expiry date. This is the GnuPG
default; we are frequently exhorted that the defaults are chosen to be
sensible for most users, and to only deviate if you know what you are
A large proportion of keys do not have a signing subkey (certainly of
the 32 we currently encrypt messages to for the PGPNET discussion
group , last time I looked there were about 12 or 14 with signing
And an individual who uses GnuPG only for email communication and file
encryption has no need of an authentication key. That is probably a
large percentage of users.
MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net
A closed door is an invitation to knock
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users