Mainkey with many subkeys??
MFPA
2014-667rhzu3dc-lists-groups at riseup.net
Tue Dec 9 00:49:07 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Monday 8 December 2014 at 6:48:23 PM, in
<mid:5485F277.3020709 at web.de>, Tomo Ruby wrote:
> as I wrote in the mail from Sun Dec 7 22:38:03 CET
> 2014: I know I could just set a new expiration date but
> most times it's recommended to use a key for two years
> at the longest.
Recommended by whom and against what threat model? And, really, the
same lifespan for signing keys as for encryption keys?
I use the supermarket approach to advice: only pick up what I need at
the time. My take on the advice I have most often seen in previous
discussions is to set fairly short expiry dates, and make the decision
whether to replace it or extend its life when the expiry date is
approaching. This gives you an opportunity to review the current state
of your tools, and best practices.
> So if I start counting I end up like
> this: One subkey for authentication, one for signing
> and one for encryption. This makes three new keys every
> two years...
OK, it would, but do you really need them all? If you use subkeys for
each of those three capabilities, have you determined that in all
three cases your threat model requires a new subkey every two years?
> I really don't understand why everyone has only so few
> subkeys...
Because they do not follow the recommendations you have taken on
board.
A lot of keys are created without expiry date. This is the GnuPG
default; we are frequently exhorted that the defaults are chosen to be
sensible for most users, and to only deviate if you know what you are
doing _and_why_.
A large proportion of keys do not have a signing subkey (certainly of
the 32 we currently encrypt messages to for the PGPNET discussion
group [0], last time I looked there were about 12 or 14 with signing
subkeys).
And an individual who uses GnuPG only for email communication and file
encryption has no need of an authentication key. That is probably a
large percentage of users.
[0] <https://groups.yahoo.com/group/PGPNET>
- --
Best regards
MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net
A closed door is an invitation to knock
-----BEGIN PGP SIGNATURE-----
iQF8BAEBCgBmBQJUhjj+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXw1r8H/14IMASGNylCpc7Z6AE6xp4u
/FwCCRbM3+N0EevdV5qAtw6P8Ttt191k5s2oV+oWQF4VnHWPl63H8x2+/jYO9ztC
KtLKYw14ENcap77nF9eRAVQ6V/yaLlRWX5eZQqyKTLiuCacYsUpSrTGU3y/9L5fI
BuPZhjcRp2FPogWRWwhNks2qMSVSHpDlhUxt/gci4NyTC51ZjD6e2NnxJV61gxgv
Bpo7O3tv+KL9hvague3b+8Kyt8rcoxHeZCDTGpqY054ZcUfiNz8+/1qjXdaCSIwW
eRe5aOfpmDoP5JoNOCFSkxTzcRjHd4IFn2N6Rbg1RQ9j0Yp7ADrZ3p1uDRAsGsGI
vgQBFgoAZgUCVIY5BF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45Li0AQBGeWUHNcqtdXrgHbELOmzsCnuF
JxGZsPkIVe+KIsrLQgEAzRVsXDMxYR2NTPwVlVKOID5Y0mo5FyBT/nS/8VbCFAo=
=UjSg
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list