Best practice for periodic key change?
Hauke Laging
mailinglisten at hauke-laging.de
Thu May 5 17:07:27 CEST 2011
Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch:
> A
> period key change is problematic because it confuses those who want to
> verify the signatures.
>
> BTW, the prolongation of the expiration time has showed (by means of a
> lot of complaining mails) that many folks don't refresh the key from time
> to time with the goal to retrieve revocation certificates.
What is the difference between these two options with respect to the point of
confusion?
In my understanding people either refresh their keys often enough or not. If
they do so then they have either old subkeys with renewed expiration date or
completely new subkeys. In both cases the should not notice the update; the
verification result is the same.
Are there people who check the subkey IDs of old and new signatures, get
confused by a change despite of gpg saying it's all right (which IMHO demands
they have not understood the concept of subkeys)?
BTW: Would it be a good idea for gpg to suggest the user to check for an
updated version of the key (or do it automatically before if configured to do
so) if it find an expired subkey? This would probably not work with the GUIs
though (but might make the GUI developers offer a similar feature).
Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110505/d63bc93e/attachment-0001.pgp>
More information about the Gnupg-users
mailing list