Re: Get your free Yubikey sponsored by Infomaniak (available for free for any DD and DM)
On Sun 2018-04-15 15:49:09 +0200, Thomas Goirand wrote:
> The keys support storing 3 4096 bits subkeys, for auth, encryption and
> signing. You're not supposed to store your master key in the Yubikey,
> instead you'd just save the master key far away in a safe place. The
> only issue is that then, you can't exchange key signature only using the
> Yubikey, but I guess that's fine.
>
> At Infomaniak, we have a master key without expiration, and the 3
> subkeys expire within 365 days, and are renewed every year.
how does this work dring the transition phase of encryption subkey
rotation, when you've published your new encryption-capable key (so some
peers have it) but your old encryption-capable key is not yet expired?
During this stage of a subkey transition, i usually have some new
messages arriving that are encrypted to the old subkey, and others that
are encrypted to the new subkey. If i had put my decryption-capable
subkey on a smartcard with exactly one slot for a decryption key, i
wouldn't be able to decrypt some messages, so the usability seems
problematic. How do you handle it during this transition?
(note that this assumes that i'm running a MUA like the latest version
of notmuch, which is capable of stashing session keys; otherwise, it's
even worse: decrypting old e-mails from your archive is entirely
impossible once you've rotated your decryption-capable secret key)
--dkg
Reply to: