Hello, I was thinking about subkey expiration when using OpenPGP smartcards.
Expiring a data signing subkey is no problem. Expiring a primary key has no bearing to the issue I'm raising. It has rather large implications, though. The problem is expiring a encryption-capable subkey on an OpenPGP smartcard, replacing it with a new one. Currently, the OpenPGP smartcard only allows a single en-/decryption-capable key. Suppose after some time I decide an old key has seen it's useful lifetime. I'd like to create a new encryption-capable key. However, I definitely need to keep the old key, or I won't be able to see anything encrypted to me in the past. The current OpenPGP smart card restricts me to a single key for encryption, a single key for signatures, and a single key for authentication. If it were possible to tell the card, on uploading the key, what that key's usage will be, I would be able to have a separate smartcard that decrypted the 3 OpenPGP subkeys I used for encryption previously. This instead of being forced to use 3 separate smartcards. I get the impression this is a relatively small change to the firmware of the smartcard, but a larger change to the software running on the PC. The current roles of RSA keys were clearly chosen to cover the 3 cases of signing, encryption and authentication. Maybe the card still has enough room for a fourth key, once the purpose isn't fixed anymore? Or even a fifth... Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users