PGP Question
2021-03-13-154126_492x132_scrot.png
@se7en I believe you have. That's not a fatal problem. But it could be annoying if you generated those keys on hardware devices.
Re: Web-of-Trust, the web-of-trust attests to identities, via the master key. So adding new subkeys doesn't break it.
Re: expiration, you absolutely can just extend the expiration. I've done that with my key repeatedly.
@se7en
The "C" means certification: the ability to delegate to a subkey. It might be possible to remove that. But you definitely don't want to do that. :)
I'm not sure if you actually can remove the master key as a signing key. It wouldn't be all that relevant from a security perspective anyway, as the master key can always just delegate another subkey, so removing signing ability doesn't fundamentally remove its ability to sign things.
@se7en Looks like you can generate a cert-only master key with the --quick-gen-key option. But AFAICT you have to do that from the start - you can't change that later.
That'd be a pretty unusual setup, so I'd advice against it purely on a "will likely break things" basis.
@se7en Ah, I think I see what you mean. Yes, letting those keys expire, as well as extending the expiration, is fine. And as I said, changes to subkeys doesn't affect the WoT.
Sounds like you already know understand this fully, but note that the recipients actually need to get a copy of your updated key for any of this to take effect from their perspective. So in practice, push it to keyservers (which are kinda broken these days...) and/or send a copy directly.
I hope that helps!
