**Se7en** @se7en@freespeechextremist.com · Mar 13, 2021, 23:20

**Se7en** @se7en@freespeechextremist.com · Mar 13, 2021, 23:20

Se7en @se7en@freespeechextremist.com

Mar 13, 2021, 23:20

Se7en @se7en@freespeechextremist.com

PGP Question

In 2020, I generated new keys in a form that I previously had not done. I had made a primary key, along with a sub-signing and a sub-encyption key. These keys expire soon, but the main key is still valid. Should I change their expiration date? If I let these keys expire, and generate new keys for sign/encrypt does it break Web of Trust?

**Se7en** @se7en@freespeechextremist.com · Mar 13, 2021, 23:40

**Se7en** @se7en@freespeechextremist.com · Mar 13, 2021, 23:40

Mar 13, 2021, 23:40

Se7en @se7en@freespeechextremist.com

I have changed their experation date. However, another question arises. Have I accidently made two keys for encryption?
2021-03-13-154126_492x132_scrot.png

2021-03-13-154126_492x132_scrot.png?name=2021-03-13-154126_492x132_scrot.png

**Peter Todd** @pete@petertodd.org · Mar 13, 2021, 23:54

**Peter Todd** @pete@petertodd.org · Mar 13, 2021, 23:54

Mar 13, 2021, 23:54

Peter Todd @pete@petertodd.org

@se7en I believe you have. That's not a fatal problem. But it could be annoying if you generated those keys on hardware devices.

Re: Web-of-Trust, the web-of-trust attests to identities, via the master key. So adding new subkeys doesn't break it.

Re: expiration, you absolutely can just extend the expiration. I've done that with my key repeatedly.

**Se7en** @se7en@freespeechextremist.com · Mar 14, 2021, 00:03

**Se7en** @se7en@freespeechextremist.com · Mar 14, 2021, 00:03

Mar 14, 2021, 00:03

Se7en @se7en@freespeechextremist.com

@pete I know I can extend (or in this case revoke) my expiration. I was simply concerned about the fact that the subkeys were set to expire on Mar 20. This is the first time I've ever used this subkey setup. Also, for my personal PGP it was the first time I used pgp in a truly professional setting (confirming/signing correspondance with the court).

**Se7en** @se7en@freespeechextremist.com · Mar 14, 2021, 00:06

**Se7en** @se7en@freespeechextremist.com · Mar 14, 2021, 00:06

Mar 14, 2021, 00:06

Se7en @se7en@freespeechextremist.com

@pete I believe my keys are missetup so the master key is still set to be a signing key. How do I remove that? Also, what is "C" in the [SC]

**Peter Todd** @pete@petertodd.org · Mar 14, 2021, 00:11

**Peter Todd** @pete@petertodd.org · Mar 14, 2021, 00:11

Mar 14, 2021, 00:11

Peter Todd @pete@petertodd.org

@se7en
The "C" means certification: the ability to delegate to a subkey. It might be possible to remove that. But you definitely don't want to do that. :)

I'm not sure if you actually can remove the master key as a signing key. It wouldn't be all that relevant from a security perspective anyway, as the master key can always just delegate another subkey, so removing signing ability doesn't fundamentally remove its ability to sign things.

**Peter Todd** @pete@petertodd.org · 2021-03-14T00:23:05Z

Peter Todd @pete@petertodd.org

@se7en Looks like you can generate a cert-only master key with the --quick-gen-key option. But AFAICT you have to do that from the start - you can't change that later.

That'd be a pretty unusual setup, so I'd advice against it purely on a "will likely break things" basis.

Mar 14, 2021, 00:23 · · Web · · ·

Trending now

Resources

Developers

What is Mastodon?

petertodd.org

More…