On Mon 2018-04-16 22:23:57 +0200, Thomas Goirand wrote: > Easy: we just make the new subkeys on a new Yubikey, and keep 2 keys for > a short time (a month or 2, which is enough for the Debian keymaster to > update the keys). That's ok because we have lots of spare Yubikeys. I > guess it should be a way more annoying if you don't.
hm, so are you encouraging people who get these hardware tokens to get two of them, or is this a "first one's on the house" kind of arrangement? > After that period, we can still use the old saved .gnupg that we store > on an encrypted USB key, together with the private part of the master > key. We got to make sure we have access to the private part of the > master key to exchange key signature anyways, even if the point of > having subkeys is to *not* store it on our laptops. i see, so reading old encrypted messages involves exposing the master secret key as well? > I have to admit I don't really like rotating the subkeys that often, > it's annoying, and I'm not so sure if it adds so much security. :/ I'll set aside whether rotating signing or authentication subkeys is useful, since this discussion is primarily about decryption-capable subkeys. The most important security added by rotating your decryption-capable subkey comes in when you can actually *delete* the private part of the subkey. When you can do that, then anyone who has captured encrypted messages to that subkey can no longer force the secret key out of you to decrypt the message. when we're talking about transport protocols, we call this property "forward secrecy". In the e-mail context, i call this "deletable messages". If you're not deleting the old decryption-capable subkeys at some point, then I agree with you that the security gains of subkey rotation are relatively small. --dkg