Master Key Best Practice with SmartCard

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Mon Jan 25 14:58:05 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/25/2016 02:55 PM, Andrew Gallagher wrote:
> On 25/01/16 10:08, Antoine Michard wrote:
>> 
>> So I thinking what is the best to do next: - Delete my useless
>> first subkey encryption from my keyring and send update to key
>> server.
> 
> Once you've published a subkey it stays published. Deleting a
> previously published subkey only removes it from your local
> machine. It won't stop others from finding it on the keyservers and
> trying to use it.
> 
> If you want to explicitly mark a subkey as "do not use" (but you do
> not believe that it has been compromised), then give it an
> expiration date of yesterday and republish. There's no particular
> reason to delete your local copy of the subkey (and there may be
> very good reasons not to, e.g. old encrypted data).
> 
> NB expiration can be undone, but revocation cannot.


While this is correct in a perfect world, in practice it depends on
the context as expirations can only effectively be extended due to
possibility for an attacker to remove the new self-sig and presenting
an older copy of the certificate to a third party. The same goes for
revocation, it is true that the keyservers are add-only and provides
some protection against it, but it is feasable for an attacker to
present this certificate without revocation data to a user that isn't
diligent with regards to keyring refreshes or by manipulation of the
update channel (e.g. a preference for fetching from non-tls URI rather
than a keyserver).

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"Expect the best. Prepare for the worst. Capitalize on what comes."
(Zig Ziglar)
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJWpinoAAoJECULev7WN52Fza0H/Axr/cFYUcEwbTrnK/nldKkr
Qp8PuspNNYTsZzugfD6rOU4OamVStbhxKNHuBu72gRc90RtCHsS3K9mFumyuu9ce
1rTuTiFEBvTAfbsSUrFKjXJstm3DaG4uM5su6DMb671A/UmSdB2uJyVglAGhDAIM
y+ugSMoySHxjCGb2BTSVbmrn0TCUFosPZSx6KkzCuOByXCI/V2dMRadsZBMd2+1V
o2p1PCVoauugePCLMU7naguOjDOFRbKLOIZG0Lxy9fXwrckko1qYDBrY6Fdx1g4j
xC5XVZA6ne1IcsRbvTEmwGJ6gmnKed12BKvMZ4XuNiEJP3ymRFWssflCFvZTt2c=
=/X7N
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list