On 25/01/16 10:08, Antoine Michard wrote: > > So I thinking what is the best to do next: > - Delete my useless first subkey encryption from my keyring and send > update to key server.
Once you've published a subkey it stays published. Deleting a previously published subkey only removes it from your local machine. It won't stop others from finding it on the keyservers and trying to use it. If you want to explicitly mark a subkey as "do not use" (but you do not believe that it has been compromised), then give it an expiration date of yesterday and republish. There's no particular reason to delete your local copy of the subkey (and there may be very good reasons not to, e.g. old encrypted data). NB expiration can be undone, but revocation cannot. (Remembering our previous conversation, you may instead want to expire your smartcard encryption subkey, and copy the other encryption subkey to the smartcard - but only if you have made a decrypted copy of all your sensitive data first.) > - Recreate a new master key with only cert role and create all my subkey > (S E A) and copy it to my Smart Card. If there's nothing wrong with your primary key there's no need to make a new one. I personally don't think having an extra usage flag counts as sufficiently "wrong" (so long as it's not "E"!). It may not be neat and tidy, but modern implementations should happily verify/auth against multiple subkeys. My current primary key has S,C,A usage and the S,A subkeys haven't caused me any issues so far. A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
