Long Term Key Management With Hardware Tokens

Werner Koch wk at gnupg.org
Wed Jun 23 13:23:45 CEST 2021


On Tue, 22 Jun 2021 21:53, Brandon Anderson said:

> concerned, you could use three. The probability that one card out of
> ten will have a failure in a decade is far higher than the chance that

You should also be concerned that malware bricks your (backup) card.
You can only avoid that by using an always air-gaped box which is pretty
inconvenient.

Paper copies are actually much more reliable.  I meanwhile scribble down
the key using a pencil and paper.  Modern keys are short enough to do
that.  (you should also note the creation date).

> all two or three cards will have a failure. Allowing retirement key
> slots means you can easily choose your level of redundancy while still
> keeping your keys on secure hardware only.

Back to your original request.  A new revision of the OpenPGP card is in
the works and the plan is to add more key slots.  Surely there will be
some support for this in GnuPG.  If you want support for the extra PIV
slots, we first need to find a business case for this (its not just the
development effort but also the future maintanence work which I have to
consider).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210623/8a2f6bbe/attachment.sig>


More information about the Gnupg-users mailing list