Best practice for periodic key change?

Hauke Laging mailinglisten at hauke-laging.de
Thu May 5 17:07:27 CEST 2011


Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch:

> A
> period key change is problematic because it confuses those who want to
> verify the signatures.
> 
> BTW, the prolongation of the expiration time has showed (by means of a
> lot of complaining mails) that many folks don't refresh the key from time
> to time with the goal to retrieve revocation certificates.

What is the difference between these two options with respect to the point of 
confusion?

In my understanding people either refresh their keys often enough or not. If 
they do so then they have either old subkeys with renewed expiration date or 
completely new subkeys. In both cases the should not notice the update; the 
verification result is the same.

Are there people who check the subkey IDs of old and new signatures, get 
confused by a change despite of gpg saying it's all right (which IMHO demands 
they have not understood the concept of subkeys)?

BTW: Would it be a good idea for gpg to suggest the user to check for an 
updated version of the key (or do it automatically before if configured to do 
so) if it find an expired subkey? This would probably not work with the GUIs 
though (but might make the GUI developers offer a similar feature).


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110505/d63bc93e/attachment-0001.pgp>


More information about the Gnupg-users mailing list