Sounds like I should just regenerate a new 1024 bit RSA primary signing key and copy it to the card (and an encryption subkey as well, of course).
Thank you for your help! On 3/3/08 7:47 PM, "David Shaw" <[EMAIL PROTECTED]> wrote: > On Mar 3, 2008, at 4:59 PM, Neal Dudley wrote: > >> I have read that it is good practice to create a primary signing >> key, and >> then use subkeys on the card. This is the recommended method for >> setup of >> the FSFE card, which is just a fancy skin on the OpenPGP card. My >> problem >> is that now I have a DSA primary key on trusted media in a safe >> location, >> which I have to retrieve for any key signing I want to perform. I >> cannot >> simply sign the keys with the signing subkey stored on my OpenPGP >> card. >> >> Are there any security implications for using the same signing key for >> normal document signing *and* key signing? > > There are only minor security implications to this. The main reason > why you use the primary key to sign keys (called "certification", by > the way) is semantic. Identity in OpenPGP is a key plus a user ID. > That key, given the way keys are laid out, is the primary. The > primary is what certifies (self signs) the user ID. > > It is mathematically possible to certify a user ID with a subkey, but > semantically that subkey isn't part of your identity, so the > certification is not used. > >> This brings me to my last question. Let us assume that I create a >> primary >> signing key with an expiration. I then get that key signed by several >> people. When the expiration date is near, do I simply create a new >> signing >> key and sign it with the original key (before it expires, of >> course)? Is >> the new key then considered just as trusted as the original key, >> which has >> all the signatures on it? Is there any method for transferring the >> signatures to the new key, or would the new key have to be resigned by >> everyone that signed the original? Using the default WoT model, >> doesn't >> this mean that every third time the key is renewed, it would not be >> trusted >> and would need to be resigned by everyone that signed the previous >> key? > > No, you do not need to make a new key or do anything like that. If > and when your key expires, you can simply extend the expiration date > as needed. OpenPGP has "soft" key expiration that can be changed at > will by the keyholder. > > David > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
