-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/25/2016 02:55 PM, Andrew Gallagher wrote: > On 25/01/16 10:08, Antoine Michard wrote: >> >> So I thinking what is the best to do next: - Delete my useless >> first subkey encryption from my keyring and send update to key >> server. > > Once you've published a subkey it stays published. Deleting a > previously published subkey only removes it from your local > machine. It won't stop others from finding it on the keyservers and > trying to use it. > > If you want to explicitly mark a subkey as "do not use" (but you do > not believe that it has been compromised), then give it an > expiration date of yesterday and republish. There's no particular > reason to delete your local copy of the subkey (and there may be > very good reasons not to, e.g. old encrypted data). > > NB expiration can be undone, but revocation cannot.
While this is correct in a perfect world, in practice it depends on the context as expirations can only effectively be extended due to possibility for an attacker to remove the new self-sig and presenting an older copy of the certificate to a third party. The same goes for revocation, it is true that the keyservers are add-only and provides some protection against it, but it is feasable for an attacker to present this certificate without revocation data to a user that isn't diligent with regards to keyring refreshes or by manipulation of the update channel (e.g. a preference for fetching from non-tls URI rather than a keyserver). - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "Expect the best. Prepare for the worst. Capitalize on what comes." (Zig Ziglar) -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWpinoAAoJECULev7WN52Fza0H/Axr/cFYUcEwbTrnK/nldKkr Qp8PuspNNYTsZzugfD6rOU4OamVStbhxKNHuBu72gRc90RtCHsS3K9mFumyuu9ce 1rTuTiFEBvTAfbsSUrFKjXJstm3DaG4uM5su6DMb671A/UmSdB2uJyVglAGhDAIM y+ugSMoySHxjCGb2BTSVbmrn0TCUFosPZSx6KkzCuOByXCI/V2dMRadsZBMd2+1V o2p1PCVoauugePCLMU7naguOjDOFRbKLOIZG0Lxy9fXwrckko1qYDBrY6Fdx1g4j xC5XVZA6ne1IcsRbvTEmwGJ6gmnKed12BKvMZ4XuNiEJP3ymRFWssflCFvZTt2c= =/X7N -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
