Hi there! On Thu, 16 Sep 2010 00:38:25 +0200, Manoj Srivastava wrote: > On Wed, Sep 15 2010, Henrique de Moraes Holschuh wrote: >> As for the large keysize, it is seen as too large. It was recommended >> that Debian should try to do something that would help reduce the >> overall threat to the Debian PKI instead of promoting very large key >> sizes *in order to acommodate for very large key lifetimes*. >> >> The recommendation for that one was: smartcards, use main key as a KSK >> only, and don't let it leave the smartcard. subkeys have several >> advantages, they can be smaller than the main key, and they can be >> replaced without web of trust issues (so you could replace them often, >> and give them a validity of only 1-2 years). > > I did not like that, since the card presumably travels with the > person, and thus has the potential of getting lost. I prefer to > generate my main key and than store it on read-only media, away from > any network or computer. The subkeys are what live on the card. Another reason for not storing the main key on the OpenPGP smartcard is that smartcards can break and I personally broke some v1.0 OpenPGP smartcards, both by "chance" (keeping the FSFE Fellowship card in my pants' backpocket) or while trying to cut them to SIM size. And please note that all the official documentation, as well as the unofficial one, advises to store on the smartcard only subkeys and to make an offline backup of (at least) the encryption subkey (you do not care about the signature one and the authorization  one can be replaced). FWIW, in Debian we should use the already available wiki page: http://wiki.debian.org/Smartcards/OpenPGP >> One would use the smartcard only to generate new subkeys and UIDs, and >> to sign other keys (otherwise, you'd need to re-sign already-signed UIDs >> when the subkey is about to expire. I didn't check if gnupg lets you use >> subkeys to sign UIDs on other keys). > > I use my card for everyday uses, and to sign emails. Signing > keys is more involved, though that has ony happened 15 times for me so > far. I did this with my (second-)old key (0x9DDB992B), but not yet with the new one (0xE397832F). OTOH, with the new one it is mostly the same as using the OpenPGP smartcard, at least in principle, given that I generated a signing/encryption/authorization subkey for everyday usage, while keeping my primary key offline. As Manoj wrote, the only reason for primary key usage (obviously, except generating new subkeys) is signing keys. Thx, bye, Gismo / Luca Footnotes:  by default, GnuPG offers to generate an authorization subkey only in expert mode!
Description: PGP signature