[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Get your free Yubikey sponsored by Infomaniak (available for free for any DD and DM)

On 04/16/2018 03:09 AM, Daniel Kahn Gillmor wrote:
> On Sun 2018-04-15 15:49:09 +0200, Thomas Goirand wrote:
>> The keys support storing 3 4096 bits subkeys, for auth, encryption and
>> signing. You're not supposed to store your master key in the Yubikey,
>> instead you'd just save the master key far away in a safe place. The
>> only issue is that then, you can't exchange key signature only using the
>> Yubikey, but I guess that's fine.
>>
>> At Infomaniak, we have a master key without expiration, and the 3
>> subkeys expire within 365 days, and are renewed every year.
> 
> how does this work dring the transition phase of encryption subkey
> rotation, when you've published your new encryption-capable key (so some
> peers have it) but your old encryption-capable key is not yet expired?
> 
> During this stage of a subkey transition, i usually have some new
> messages arriving that are encrypted to the old subkey, and others that
> are encrypted to the new subkey.  If i had put my decryption-capable
> subkey on a smartcard with exactly one slot for a decryption key, i
> wouldn't be able to decrypt some messages, so the usability seems
> problematic.  How do you handle it during this transition?

Easy: we just make the new subkeys on a new Yubikey, and keep 2 keys for
a short time (a month or 2, which is enough for the Debian keymaster to
update the keys). That's ok because we have lots of spare Yubikeys. I
guess it should be a way more annoying if you don't.

After that period, we can still use the old saved .gnupg that we store
on an encrypted USB key, together with the private part of the master
key. We got to make sure we have access to the private part of the
master key to exchange key signature anyways, even if the point of
having subkeys is to *not* store it on our laptops.

I have to admit I don't really like rotating the subkeys that often,
it's annoying, and I'm not so sure if it adds so much security. :/

Cheers,

Thomas Goirand (zigo)
Reply to: