On 04/17/2018 12:33 AM, Daniel Kahn Gillmor wrote: > On Mon 2018-04-16 22:23:57 +0200, Thomas Goirand wrote: >> Easy: we just make the new subkeys on a new Yubikey, and keep 2 keys for >> a short time (a month or 2, which is enough for the Debian keymaster to >> update the keys). That's ok because we have lots of spare Yubikeys. I >> guess it should be a way more annoying if you don't. > > hm, so are you encouraging people who get these hardware tokens to get > two of them
This is what we do here because we have lots of Yubikeys available, I'm not saying this fits everyone. Having expiration dates on subkeys is a good idea for everyone, but maybe generating new subkeys when they expire isn't (ie: just changing the expiration date 1 month before they expire is enough). >> After that period, we can still use the old saved .gnupg that we store >> on an encrypted USB key, together with the private part of the master >> key. We got to make sure we have access to the private part of the >> master key to exchange key signature anyways, even if the point of >> having subkeys is to *not* store it on our laptops. > > i see, so reading old encrypted messages involves exposing the master > secret key as well? Yes, though it should be an exception, the general use case is that it should not happen: if you publish the new subkeys early enough, new messages will be using the new subkey. > The most important security added by rotating your > decryption-capable subkey comes in when you can actually *delete* the > private part of the subkey. When you can do that, then anyone who has > captured encrypted messages to that subkey can no longer force the > secret key out of you to decrypt the message. Oh indeed! Then probably we should just accept the fact that, when someone encrypts a message with the old key, we can't read it, and we have to ask for a new message to be sent. I don't think that's a big problem. Cheers, Thomas Goirand (zigo)
