Re: "upgrading" my gpg key

To: debian-devel@lists.debian.org
Subject: Re: "upgrading" my gpg key
From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Date: Mon, 4 Jan 2010 20:36:32 +0000
Message-id: <[🔎] 20100104203537.GD28755@crustytoothpaste.ath.cx>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 4B424894.7080208@free.fr>
References: <[🔎] 4B424894.7080208@free.fr>

On Mon, Jan 04, 2010 at 08:59:16PM +0100, Vincent Danjean wrote:
>   Hi,
> 
> My main gpg public key seams to be a 1024 DSA key (1024D/9D025E87).
> I would like to have a more robust main key. I've created to 4096 RSA
> subkey to sign and encrypt.
> 
> However, is there a way to switch my main key ? (ie to create a new
> one and change it without loosing all my other keys and signatures).

Nope.  RFC 4880 specifies that signatures over User IDs hash the key
data; otherwise, I could create a key (over which you have no control)
with your User ID and have all of your signatures validate on my spoofed
key.

If you have a signing subkey, the only thing that the main key is used
for[0] is signing key data: User IDs (yours and others') and subkeys.
Signing subkeys will be used for signing all data.

>   The immediate "solution" is to create a separate new (main) key,
> sign it and make it signed by other DD and then ask for it to be added
> in Debian keyring.
>   But perhaps gpg guru¹ would have better suggestions ?

If you believe that your main key is sufficiently secure for the limited
purposes for which it will be used, then just create subkeys for
encryption and signing.  If you do not, then you should create a new
main key.  For maximum long-term security, I recommend a 3072-bit DSA
key (preferably with SHA-512) or a 4096-bit RSA key.

Note that you can cross-sign your keys with trust signatures such that
people trusting your old key will implicitly trust signatures made with
your new one.  You can see such an example from my old key (0x560553e7)
to my new one (0x0223b187).

> ¹: does anyone know if it is possible to extract a subkey from a gpg
> key and add it to another gpg key ?

It is possible.  I don't believe that there are any tools that provide
that functionality, though.

[0] This is only true for v4 keys, but they are the only ones that have
the main key/subkey distinction.  GnuPG cannot create v3 keys, but it
can use them.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: "upgrading" my gpg key
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Re: "upgrading" my gpg key
  - From: Klaus Ethgen <Klaus@Ethgen.de>

References:
- "upgrading" my gpg key
  - From: Vincent Danjean <vdanjean.ml@free.fr>

Prev by Date: Re: "upgrading" my gpg key
Next by Date: dpkg 3.0 (quilt) packages not being accepted?
Previous by thread: Re: "upgrading" my gpg key
Next by thread: Re: "upgrading" my gpg key
Index(es):
- Date
- Thread