Isaac Bennetch on 18 Sep 2013 09:13:22 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] encryption

On Wed, Sep 18, 2013 at 11:22 AM, Sam Gleske <> wrote:
> If you haven't already.  You should change your PGP key to be 4096-bit.

This seems like a good chance to bring up a PGP question I'm mulling
over. How do you typically upgrade your key while maintaining your web
of trust and all the signatures you've accumulated? Some people have
keys that expire every year, and I haven't yet found any good guide
for how they maintain the signatures.

One of the keyparty guides implies that you create what I'll call the
master key, which you get signed and then use to yourself sign your
subkeys, which are the actual encryption keys. However, using the caff
program at a recent keysigning seems to have gotten me a lot of
signatures on my subkeys, so either no one is doing it right or that's
not the end-all solution. The second option seems to be emailing
everyone who has signed your key every time you generate a new key,
asking them to sign your new key. While that seems secure (since
you're already using an established trusted relationship, encrypted
and signed, to do so), it seems like a huge hassle for people you may
have only met once. So that seems like a bad idea as well.

Perhaps someone could clarify, especially for those who have 2048-bit
keys how you would upgrade your key strength while maintaining all the

For the record I'm all 4096 anyway, but I may add another email
address which would face the same difficulty.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --