Re: Bits from keyring-maint
On Wed, Sep 15 2010, Henrique de Moraes Holschuh wrote:
> As for the large keysize, it is seen as too large. It was recommended
> that Debian should try to do something that would help reduce the
> overall threat to the Debian PKI instead of promoting very large key
> sizes *in order to acommodate for very large key lifetimes*.
>
> The recommendation for that one was: smartcards, use main key as a KSK
> only, and don't let it leave the smartcard. subkeys have several
> advantages, they can be smaller than the main key, and they can be
> replaced without web of trust issues (so you could replace them often,
> and give them a validity of only 1-2 years).
I did not like that, since the card presumably travels with the
person, and thus has the potential of getting lost. I prefer to
generate my main key and than store it on read-only media, away from
any network or computer. The subkeys are what live on the card.
> One would use the smartcard only to generate new subkeys and UIDs, and
> to sign other keys (otherwise, you'd need to re-sign already-signed UIDs
> when the subkey is about to expire. I didn't check if gnupg lets you use
> subkeys to sign UIDs on other keys).
I use my card for everyday uses, and to sign emails. Signing
keys is more involved, though that has ony happened 15 times for me so
far.
manoj
--
If you keep anything long enough, you can throw it away.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C
Reply to: