gnupg-pkcs11 status & future

Peter Lebbing peter at
Fri Feb 26 16:02:14 CET 2016

On 26/02/16 15:18, Werner Koch wrote:
> Rotating does only make sense if you take the old key soon offline.

Why is this the case? I must admit I'm fairly comfortable not rotating
my keys (which are on OpenPGP smartcards). But I can think of lines of
reasoning where it makes sense to rotate, but still keep the old
decryption key available. Think: "There's a non-zero chance that someone
got my private key material, but at least they can only decrypt stuff
encrypted in 2011, all other years use a different key". Note in this
scenario it is nice if I can still easily access my 2011 material as well.

I'm not saying this is a solid line of reasoning. I'm just curious why
limiting access to the decryption key is the only thing that makes sense.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list