Re: [tlug] Managing PGP keys on multiple machines

[Curt Sampson <cjs@example.com>]

David,

On 2008-05-21 15:17 +0900 (Wed), David Smith wrote:

> The solution you're looking for is using PGP subkeys.

I've been looking at this, actually. I already use encryption subkeys,
expiring them and generating a new one every year, to reduce exposure
both through having less encrypted material available for analysis for
any particular key and though having less material that can be decrypted
should a key be compromised.

I've been doing this for a while (I'm now on my fifth yearly encryption
subkey), and the only real issue I've had is every year having to go
around and find all the places that automated systems are encrypting
things for me to update the keyring. (E.g., most servers that send their
backups to Starling's central backup server encrypt the data with my
key, amongst others.)

However, it looks to me like there are more difficulties when it comes
to using subkeys for signing. The problems section of the page you quoted:

    http://fortytwo.ch/gpg/subkeys

doesn't make the approach look very promising for use in an open
environment. What's the current state of these problems, and how has it
been working out for you?

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com