[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from keyring-maint

Hi there!

On Thu, 16 Sep 2010 00:38:25 +0200, Manoj Srivastava wrote:
> On Wed, Sep 15 2010, Henrique de Moraes Holschuh wrote:
>> As for the large keysize, it is seen as too large.  It was recommended
>> that Debian should try to do something that would help reduce the
>> overall threat to the Debian PKI instead of promoting very large key
>> sizes *in order to acommodate for very large key lifetimes*.
>> The recommendation for that one was: smartcards, use main key as a KSK
>> only, and don't let it leave the smartcard.  subkeys have several
>> advantages, they can be smaller than the main key, and they can be
>> replaced without web of trust issues (so you could replace them often,
>> and give them a validity of only 1-2 years).
>         I did not like that, since the card presumably travels with the
>  person, and thus has the potential of getting lost. I prefer to
>  generate my main key and than store it on read-only media, away from
>  any network or computer. The subkeys are what live on the card.

Another reason for not storing the main key on the OpenPGP smartcard is
that smartcards can break and I personally broke some v1.0 OpenPGP
smartcards, both by "chance" (keeping the FSFE Fellowship card in my
pants' backpocket) or while trying to cut them to SIM size.

And please note that all the official documentation, as well as the
unofficial one, advises to store on the smartcard only subkeys and to
make an offline backup of (at least) the encryption subkey (you do not
care about the signature one and the authorization [1] one can be

FWIW, in Debian we should use the already available wiki page:


>> One would use the smartcard only to generate new subkeys and UIDs, and
>> to sign other keys (otherwise, you'd need to re-sign already-signed UIDs
>> when the subkey is about to expire. I didn't check if gnupg lets you use
>> subkeys to sign UIDs on other keys).
>         I use my card for everyday uses, and to sign emails. Signing
>  keys is more involved, though that has ony happened 15 times for me so
>  far.

I did this with my (second-)old key (0x9DDB992B), but not yet with the
new one (0xE397832F).  OTOH, with the new one it is mostly the same as
using the OpenPGP smartcard, at least in principle, given that I
generated a signing/encryption/authorization subkey for everyday usage,
while keeping my primary key offline.  As Manoj wrote, the only reason
for primary key usage (obviously, except generating new subkeys) is
signing keys.

Thx, bye,
Gismo / Luca

[1] by default, GnuPG offers to generate an authorization subkey only in
    expert mode!

Attachment: pgps0rvBfdAkV.pgp
Description: PGP signature

Reply to: