On 09/02/16 11:42, Peter Lebbing wrote: > On 06/02/16 19:40, Sam Pablo Kuper wrote: >>> In [this] scenario one would be able to revoke the subkeys and >>> generate new, without using an off-card copy of the master key >> I believe that is correct. [...] > You should just be able to use your smartcard to do all operations with > the master key on it, including generating and revoking subkeys. There > is one little snag: with GnuPG before 2.1, it's rather difficult to > spread one certificate over multiple smartcards. Once it sees one of the > two, it will mark the other keys as "not available" and never update it > when it subsequently sees the other smartcard. You need OpenPGP packet > surgery to transplant the correct data. GnuPG 2.1 does the right thing, > I believe. Thanks for the answer, I think I will go for the approach proposed by Sam Pablo. I am indeed inclined to use GnuPG 2.1 as much as possible, as I see it wasteful to have to remember both commands' syntax.
It is not possible to export an on-card subkey, thus I was asking how to properly do this by having a subkey existing both on-key and off-key, but possibly never the master key. I estimate a compromise/revocation of the subkey as affordable, while doing the same for the master key should be avoided as much as possible through best practices. -- eugene > HTH, > > Peter. > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
