On Mon 2018-04-16 22:23:57 +0200, Thomas Goirand wrote:
> Easy: we just make the new subkeys on a new Yubikey, and keep 2 keys for
> a short time (a month or 2, which is enough for the Debian keymaster to
> update the keys). That's ok because we have lots of spare Yubikeys. I
> guess it should be a way more annoying if you don't.

hm, so are you encouraging people who get these hardware tokens to get
two of them, or is this a "first one's on the house" kind of
arrangement?

> After that period, we can still use the old saved .gnupg that we store
> on an encrypted USB key, together with the private part of the master
> key. We got to make sure we have access to the private part of the
> master key to exchange key signature anyways, even if the point of
> having subkeys is to *not* store it on our laptops.

i see, so reading old encrypted messages involves exposing the master
secret key as well?

> I have to admit I don't really like rotating the subkeys that often,
> it's annoying, and I'm not so sure if it adds so much security. :/

I'll set aside whether rotating signing or authentication subkeys is
useful, since this discussion is primarily about decryption-capable
subkeys.  The most important security added by rotating your
decryption-capable subkey comes in when you can actually *delete* the
private part of the subkey.  When you can do that, then anyone who has
captured encrypted messages to that subkey can no longer force the
secret key out of you to decrypt the message.  when we're talking about
transport protocols, we call this property "forward secrecy".  In the
e-mail context, i call this "deletable messages".

If you're not deleting the old decryption-capable subkeys at some point,
then I agree with you that the security gains of subkey rotation are
relatively small.

           --dkg

Reply via email to