-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Thursday 11 December 2014 at 2:15:26 PM, in <mid:5489a6fe.60...@web.de>, Tomo Ruby wrote: > To be honest I didn't think and search about that too > much, but that was not the point anyways... I'm confused. You seemed to be making quite a point of it. (-: > How do you judge whether to replace the key or not? Of > course there are obvious opportunities when to replace > keys but if nothing special (like the system being > compromised) happens, Or there are new ideas/standards/technology/exploits such that a particular key size or algorithm is no longer considered safe, or something is available with a smaller signature size, for example. Examples include the introduction of subkeys, larger key sizes (2048 instead of 1024), DSA or DSA2 vs RSA, ... > I really know only of this > approach: The more encrypted/signed data I spread over > the web, the easier it might be for an attacker to > calculate the secret key. And because of that I'd > replace on a regular basis. Please correct me here if > I'm wrong!! There are others on this list better placed to answer this. As far as I know, the only thing actually encrypted to your secret key is the session key for each message. > See above, besides Enigmail for example uses default > values with expiration dates... I did not know that. I guess the Enigmail developers must know what they are doing _and_why_. > I'm not sure if I understand you right here but if you > ask why I would use a subkey to sign, the answer is: > Because I want to use an offline mainkey and subkeys > for the daily work... You were asking why most keys seem to have far fewer subkeys (in use or expired/revoked) than the advice you were following would lead you to expect. I was saying that one reason is because a large proportion of keys do not have a signing subkey. (-; My old key was a v3 key that didn't support subkeys, and that lasted me about 11 years. My new key has signing subkeys of both RSA and EDDSA varieties. I understand the idea of offline main keys, but don't see how the use case fits my threat model. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Always borrow money from a pessimist - they don't expect it back -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUijaDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwF1cH/AxVGZX8jSLRcaI8fqFOu2+1 HM/pKrWnVgG+sqog2YQzhHFbXdteI0VmhmkKZVW6z8AJesudVFtrYvXNWmaCPywY EDNFu05/G38zIIrAAblM4DXaKXOb6/nJeUeXpt+/JDRs+hRAzWpfbb8q3makCqns 1pHvP/q6fzDldttKPP432mGCFqmpZiRROxXcEH+Hsax+h6uFdytE7DMWM0CO0trK C9ASwZKOzTJ5d+rlRIk0Z09RglJIExfGCDM1+RHmDa1n7B/hMvVt4WMB1d3Vv1ab 1Ha+q0YnNORXTKECbfdv1gHgxSiBub2zRKmV3U0LYlUEdKemFOPizy8gF2l5vOqI vgQBFgoAZgUCVIo2lF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45NfbAQD5rRNgzhyHYHrClccbtLviXCYl og6lJd9lAh9tjGdIqAEAMkRhtr2WRz6WTdUp7RFR4eUd6KJ86GSXk7o9BRFm0gM= =zvmJ -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
