Master Key Best Practice with SmartCard

Mon Jan 25 15:50:45 CET 2016

>> It's work well except that for https://encrypt.to, he use my first
>> encryption key and I can't decrypt it with my Smartcard.
>
> I'd report an issue to encrypt.to maintainer.
> encrypt.to also doesn't handle correctly the case when more than one key
> matches speceificed short key id, e.g. https://encrypt.to/0x70096AD1,
> the shown fingerprint doesn't change when you change selection.

I've previously report my problem too but I don't have any reply yet !!

>> So I thinking what is the best to do next:
>> - Delete my useless first subkey encryption from my keyring and send
>> update to key server.
>
> Once you've published a subkey it stays published. Deleting a previously
> published subkey only removes it from your local machine. It won't stop
> others from finding it on the keyservers and trying to use it.
>
> If you want to explicitly mark a subkey as "do not use" (but you do not
> believe that it has been compromised), then give it an expiration date
> of yesterday and republish. There's no particular reason to delete your
> local copy of the subkey (and there may be very good reasons not to,
> e.g. old encrypted data).
>
> NB expiration can be undone, but revocation cannot.
>
> (Remembering our previous conversation, you may instead want to expire
> your smartcard encryption subkey, and copy the other encryption subkey
> to the smartcard - but only if you have made a decrypted copy of all
> your sensitive data first.)

I've already revoke my encryption key on my smartcard, thanks to you and
it works like a charm. (like I said in my previous mail :) ).
And I didn't know if you delete a subkey you won't delete it on key
server. Thx Again Andrew. You are an incredible source of GPG knowledge

>> - Recreate a new master key with only cert role and create all my subkey
>> (S E A) and copy it to my Smart Card.
>
> This will just create additional confusion for you, because there will
> now be two certificates associated with your name.  It's not the end of
> the world, but i don't think it would solve your problem as cleanly as
> the above approach.

You were right !! Bad idea ^_^

Thanks all again !! Maybe I will revoke my first encryption key. It's on
my offline Master key so I will not use it day-to-day. And recreate my
master key is not a good idea.

Last question: Clean option will only clean locally or on key server too ??

Antoine Michard
GPG Key: 0xF5C9E7CD0882B381

Le 25/01/2016 14:59, Daniel Kahn Gillmor a écrit :
> On Mon 2016-01-25 05:08:31 -0500, Antoine Michard wrote:
>> So I thinking what is the best to do next:
>> - Delete my useless first subkey encryption from my keyring and send
>> update to key server.
> 
> If you don't want people to encrypt messages to your D693C37C subkey,
> you should revoke that subkey (and only that subkey), and publish your
> updated certificate to the keyservers.
> 
> Just deleting the subkey from your certificate locally won't delete the
> associated copy on the keyserver, or provide anyone else with any
> indication that you don't intend to continue using it.
> 
>> - Recreate a new master key with only cert role and create all my subkey
>> (S E A) and copy it to my Smart Card.
> 
> This will just create additional confusion for you, because there will
> now be two certificates associated with your name.  It's not the end of
> the world, but i don't think it would solve your problem as cleanly as
> the above approach.
> 
> hth,
> 
>     --dkg
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160125/447fcb2f/attachment.sig>