Master Key Best Practice with SmartCard

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jan 25 14:59:53 CET 2016


On Mon 2016-01-25 05:08:31 -0500, Antoine Michard wrote:
> So I thinking what is the best to do next:
> - Delete my useless first subkey encryption from my keyring and send
> update to key server.

If you don't want people to encrypt messages to your D693C37C subkey,
you should revoke that subkey (and only that subkey), and publish your
updated certificate to the keyservers.

Just deleting the subkey from your certificate locally won't delete the
associated copy on the keyserver, or provide anyone else with any
indication that you don't intend to continue using it.

> - Recreate a new master key with only cert role and create all my subkey
> (S E A) and copy it to my Smart Card.

This will just create additional confusion for you, because there will
now be two certificates associated with your name.  It's not the end of
the world, but i don't think it would solve your problem as cleanly as
the above approach.

hth,

    --dkg



More information about the Gnupg-users mailing list