If you know the recipient, then solving the latter is easy. Ask the recipientIn my setup, when something is sent, only the encrypted mail is sent to my sent folder, so if I were asked as you suggest, I would have no way to send the letter without rewriting it; I assume this is true for others as well. But even so, if it's old mail, the request may be impossible.to resend the message encrypted with your new key.
GnuPG 2.3 does support PIV smartcards and you can create OpenPGP keys (and X.509 certificates/certificate requests) for those card keys. So far, only the standard key slots are supported, but I guess adding support for retired keysI will look into that. Do you know of any PIV cards that support the 25519 curve? Unfortunately, while the Yubikey supports 25519 for GPG, the PIV functions only support 2048 RSA and NIST curves. The only card I see so far that supports this is https://www.cardlogix.com/product/l-plus-hardware-security-module-hsm-card/, but I am unsure what would be involved in getting it to work as I doubt it would be compatible out the box with GPG; I will try to obtain one and experiment.wouldn't be too hard. So, you could consider using PIV tokens as hardware tokens.
What would it take to add support for retirement key slots into the GPG smartcard specification? If retirement slots were added to the smartcard spec, then after several years, other smartcard implementations might add support for it over time. Is that something I could help contribute with?
Well, you could re-encrypt everything encrypted to the retired keys with the new keys. This will make sure that you can still decrypt everything even ifI thought about this as well. Having an encrypted offline copy of the decryption keys encrypted with a smartcard would have the same benefits as the limited password attempts and hardware security around the key. The problem is that whenever I need/want to decrypt old messages, I would have to set up an air-gapped system and, on that system, load the decryption key on a token, a rather tedious process. That being said, I will probably go with this option in the interim unless others have a better suggestion on how to do this. I would like to help if I could on adding key retirement slots to the smartcard specification if possible.you kept tokens with the retired keys and those tokens die.
Sincerely, Brandon Anderson
OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
