GPG, subkeys smartcard and computer

Kristian Fiskerstrand kristian.fiskerstrand at
Tue Feb 21 14:37:57 CET 2017

On 02/21/2017 02:21 PM, Peter Lebbing wrote:
> Revoking the old A key and creating a new one needs to happen on the
> system you have the primary key on, so you need to subsequently roll out

Who said anything about creating a new one in this part of the process?
each device has separate A subkeys already, you lost your device, you
revoke the A subkey for it (this step is actually the most tricky, as
revocation certificates can't be generated for subkeys - so you need to
have pre-generated versions of pubkey with it revoked created carefully
manually beforehand).

> the new A key to the compromised device. Obviously I assume the primary
> key was not available on the compromised device, because then the whole


> certificate would have to be revoked. I don't see much extra effort in
> rolling it out to the few other systems you use as a client as well.

not following, you don't have access to the primary key at this point
(say you're travelling and the primary is on smartcard in a vault)

> Also, I think you need to have a way to notify servers that they need to
> get an updated certificate including the revoked old key *right* *now*.
> We're talking about a compromised A key! The attacker has full access to
> your login account for the time that the servers haven't checked for a

Whether need for "right now" depends on severity, the compromise is in
most cases a lost device, not an active attacker, so a 20-30 min
timeframe is likely sufficient in most cases anyways e.g from a regular
crontab run of monkeysphere, this also should fit with most key
propagation across network as using a single keyserver can create a SPOF
and DoS the update

> new key yet! Regular intervals just won't do. This looks to be the
> painful step in the process.

... it depends...

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Qui audet vincit
Who dares wins

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170221/8654caa1/attachment.sig>

More information about the Gnupg-users mailing list