Re: a bunch of questions

2017-11-10 Thread Peter Lebbing 
On 10/11/17 09:50, Francesco Ariis wrote:
> A general word on expiry dates: you can always modify them as you
> go (that's what I do), they are not set in stone?

Well, this depends on your threat model. If I can control what one of
your peers sees, I could strip the self-signatures that change the
expiry date, only keeping the ones that I agree with.

So if you have a self-signature from 16 Dec 2010 that says the key does
not expire, and a self-signature from 10 Nov 2017 that says the key
expires in two years, I could manipulate it such that the second
self-signature never reaches this peer but everything still verifies.
Then the manipulated peer thinks the key will never expire, and I can
"keep the key going" forever.

If however you only ever extend the expiry dates, an attacker could only
fake your still valid key to be expired, rather than the more
troublesome case of faking your expired key to be still valid.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a bunch of questions

2017-11-10 Thread Francesco Ariis 
On Fri, Nov 10, 2017 at 12:27:22AM -0500, charlie derr wrote:
> I believe that the key I'm signing this message with is 2048 bits and
> will expire next year. If I've got either of those details wrong, please
> correct my error(s). [...]

Hello Charlie,
I see no expiration date on your key (4096, not 2048). Maybe *did*
input an expiration date and then forgot to upload the key again to
a key-server?

A general word on expiry dates: you can always modify them as you
go (that's what I do), they are not set in stone?
So why are they useful? Because this way you can encourage your
friends/workmates to refresh your keys every now and then, getting
all the new subkeys/revocations/etc.

Any reasonable client (I use mutt) should allow you to switch keys,
but since the one you are using is 4096 (very strong!), if it is
not compromised you could use this for the rest of your life.

Does this address your questions?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a bunch of questions

2017-11-09 Thread Robert J. Hansen 
> I believe that the key I'm signing this message with is 2048 bits and
> will expire next year. If I've got either of those details wrong, please
> correct my error(s).

No.  There's no expiration date on your certificate, and it's a 4096-bit
RSA keypair.

> What size key do you recommend I create in order to be future proof (for
> the rest of my life -- I'm in my early 50s)?

I personally think it's unlikely 4096-bit RSA keys will be broken in the
next twenty years.  Over that timeframe, RSA-4096 is probably stronger
than elliptical curve cryptography: we might (*might*) have quantum
computers large enough to tackle ECC by 2040, but RSA-4096 would require
a far larger quantum computer.

> I believe that the master key for the subkey I'm currently using will
> also expire next year. How would I go about confirming/refuting that
> assumption?

quorra:~ rjh$ gpg --edit-key "Charlie Derr"

pub  rsa4096/BB8B3D7331A9367F
 created: 2010-12-16  expires: never   usage: SCA
 trust: unknown   validity: unknown
sub  rsa4096/F44E4BC7C1F121DD
 created: 2010-12-16  expires: never   usage: E
[ unknown] (1). Charlie Derr 

> I currently use gnupg with two different email accounts (this one and a
> gmail address) and I use different mail clients for each: thunderbird
> with enigmail here and claws-mail (and whatever debian gnupg plugin is
> appropriate for claws) with gmail. How can I set things up so that I can
> switch back and forth between two keys (for signing) until this one
> expires in 2018?

I don't use Claws, so I can't answer that; but Thunderbird+Enigmail
allows you to use whichever key you wish -- just set it up according to
the instructions on the Enigmail webpage.  If the instructions there are
unclear or confusing, I'm happy to help you with it further.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

a bunch of questions

2017-11-09 Thread charlie derr 
Please forgive me for piling several questions into a single post. If
anyone wants to just answer a subset, I'll still be very happy to read
your advice.

I believe that the key I'm signing this message with is 2048 bits and
will expire next year. If I've got either of those details wrong, please
correct my error(s).

I would like to generate a new key (which never expires) and begin to
transition to using it. Mostly I sign messages, but occasionally I
receive encrypted messages from friends. I hope that in the future I
will use gnupg more.

What size key do you recommend I create in order to be future proof (for
the rest of my life -- I'm in my early 50s)?

I believe that the master key for the subkey I'm currently using will
also expire next year. How would I go about confirming/refuting that
assumption?

I currently use gnupg with two different email accounts (this one and a
gmail address) and I use different mail clients for each: thunderbird
with enigmail here and claws-mail (and whatever debian gnupg plugin is
appropriate for claws) with gmail. How can I set things up so that I can
switch back and forth between two keys (for signing) until this one
expires in 2018?

I'm on debian 9 stretch on two different computers with this setup.

   thanks so very much in advance for any answers (or pointers to
appropriate documentation),
  ~c


0x31A9367F.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users