Re: Bits from keyring-maint
On Wed, Sep 15 2010, Henrique de Moraes Holschuh wrote:
> As for the large keysize, it is seen as too large. It was recommended
> that Debian should try to do something that would help reduce the
> overall threat to the Debian PKI instead of promoting very large key
> sizes *in order to acommodate for very large key lifetimes*.
> The recommendation for that one was: smartcards, use main key as a KSK
> only, and don't let it leave the smartcard. subkeys have several
> advantages, they can be smaller than the main key, and they can be
> replaced without web of trust issues (so you could replace them often,
> and give them a validity of only 1-2 years).
I did not like that, since the card presumably travels with the
person, and thus has the potential of getting lost. I prefer to
generate my main key and than store it on read-only media, away from
any network or computer. The subkeys are what live on the card.
> One would use the smartcard only to generate new subkeys and UIDs, and
> to sign other keys (otherwise, you'd need to re-sign already-signed UIDs
> when the subkey is about to expire. I didn't check if gnupg lets you use
> subkeys to sign UIDs on other keys).
I use my card for everyday uses, and to sign emails. Signing
keys is more involved, though that has ony happened 15 times for me so
If you keep anything long enough, you can throw it away.
Manoj Srivastava <email@example.com> <http://www.golden-gryphon.com/>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C