GnuPG: how to extend subkey's expiry date? - PGP

This is a discussion on GnuPG: how to extend subkey's expiry date? - PGP ; My key expired recently and GPG would (of course) not let me encrypt to it. I'd like to keep using the same key. So I used "gpg --edit-key" and the "expire" subcommand to extend the expiry date. Unfortunately the only ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: GnuPG: how to extend subkey's expiry date?

  1. GnuPG: how to extend subkey's expiry date?

    My key expired recently and GPG would (of course) not let me encrypt to it.
    I'd like to keep using the same key. So I used "gpg --edit-key" and the
    "expire" subcommand to extend the expiry date. Unfortunately the only
    subkey's expiry date did not change, so I still can't encrypt to the key.

    $ gpg --edit-key e3c5ee5e
    ....
    pub 1024D/E3C5EE5E created: 2002-02-19 expires: 2007-03-07 usage: CS
    trust: ultimate validity: ultimate
    sub 2048g/66796190 created: 2002-02-19 expired: 2005-02-18 usage: E
    ....

    I've tried using "expire sub" and "expire 66796190" commands inside
    edit-key, but I can't figure out how to change the expiry date of the
    subkey.

    Is it possible to do so, or do I need to add a new subkey to keep using the
    same main key?

    --
    Thanks,
    Adam


  2. Re: GnuPG: how to extend subkey's expiry date?

    Adam Funk wrote:
    > My key expired recently and GPG would (of course) not let me encrypt to it.
    > I'd like to keep using the same key. So I used "gpg --edit-key" and the
    > "expire" subcommand to extend the expiry date. Unfortunately the only
    > subkey's expiry date did not change, so I still can't encrypt to the key.
    >
    > $ gpg --edit-key e3c5ee5e
    > ...
    > pub 1024D/E3C5EE5E created: 2002-02-19 expires: 2007-03-07 usage: CS
    > trust: ultimate validity: ultimate
    > sub 2048g/66796190 created: 2002-02-19 expired: 2005-02-18 usage: E
    > ...
    >
    > I've tried using "expire sub" and "expire 66796190" commands inside
    > edit-key, but I can't figure out how to change the expiry date of the
    > subkey.


    "key n", where 'n' is the key you want (in your case, '1').
    "expire"

    David

  3. Re: GnuPG: how to extend subkey's expiry date?

    David Shaw wrote:

    >> I've tried using "expire sub" and "expire 66796190" commands inside
    >> edit-key, but I can't figure out how to change the expiry date of the
    >> subkey.

    >
    > "key n", where 'n' is the key you want (in your case, '1').
    > "expire"


    That fixed it: thanks!

    Is it considered useful or "a good thing" to replace subkeys periodically on
    the master key? (I seem to recall reading this somewhere.)


  4. Re: GnuPG: how to extend subkey's expiry date?

    Adam Funk wrote:

    > Is it considered useful or "a good thing" to replace subkeys periodically on
    > the master key? (I seem to recall reading this somewhere.)


    To be honest, I don't think the entire genre of subkeys is very useful.
    Create a large enough RSA sign+encrypt key that you don't need to worry
    about it, and that's that.

    It's unfortunate that GPG continues to discourage RSA sign+encrypt keys
    by relegating it to --expert mode.

    Kurt.

  5. Re: GnuPG: how to extend subkey's expiry date?

    "Kurt Fitzner (kfitzner at excelcia period org)" wrote:
    > Adam Funk wrote:
    >
    >> Is it considered useful or "a good thing" to replace subkeys periodically on
    >> the master key? (I seem to recall reading this somewhere.)

    >
    > To be honest, I don't think the entire genre of subkeys is very useful.
    > Create a large enough RSA sign+encrypt key that you don't need to worry
    > about it, and that's that.


    I'm afraid most cryptographers disagree with you.

    David

  6. Re: GnuPG: how to extend subkey's expiry date?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    On Wed, 16 Mar 2005 14:36:39 GMT, in comp.security.pgp.discuss "Kurt
    Fitzner (kfitzner at excelcia period org)" wrote:

    >
    >It's unfortunate that GPG continues to discourage RSA sign+encrypt keys
    >by relegating it to --expert mode.
    >
    > Kurt.



    Interestingly enough, PGP 9 beta's default key type (i.e., the sort of key
    generated if you hit "new key" and just go with default values") is a
    2048-bit RSA signing key (SHA-2 256) with a 2048-bit RSA encryption key
    (AES-256).


    shg

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 9.0.0 (Build 1799) Beta

    iQA/AwUBQjmS5pWn2pPDur23EQhAXACguyldtRp4a5Eps7xsIHJqjT vTNb4AoJJD
    tMPnhFjNSJ5kAUCllF92/VCg
    =1J3L
    -----END PGP SIGNATURE-----


    Simon H. Garlick <"sgarlick" at "gmail.com">
    PGP Key ID C3BABDB7



  7. Re: GnuPG: how to extend subkey's expiry date?

    Kurt Fitzner (kfitzner at excelcia period org) wrote:

    > Adam Funk wrote:
    >
    >> Is it considered useful or "a good thing" to replace subkeys periodically
    >> on
    >> the master key? (I seem to recall reading this somewhere.)

    >
    > To be honest, I don't think the entire genre of subkeys is very useful.
    > Create a large enough RSA sign+encrypt key that you don't need to worry
    > about it, and that's that.
    >
    > It's unfortunate that GPG continues to discourage RSA sign+encrypt keys
    > by relegating it to --expert mode.
    >
    > Kurt.


    Here's why I prefer using a subkey with expiration date:

    1) Ensures only Current Email Addresses are used/available on your key: In
    the last 8 years I've changed email addresses 8 times due to either
    consolidation (Smaller ISP was bought out) or through relocation and
    unavailability of service from the former ISP.

    2) Enforces a periodic replacement of the public key to ensure integrity of
    data and signatures. Have had 2 trusted introducer's die in last 5 years
    due to accidents and acts of god. So it's allowed me to locate others and
    ensure that I know everyone who's signing my keys.

    I have also been able to disprove a message as originating from me in a
    sexual harasment case through the usage of g/pgp. The message was quickly
    exposed as a fraud by running a check against the private key. As the check
    didn't require the usage of my passphrase, I was able to transfer a copy of
    both the pub/priv keypair to a clean system for verification.

    3) Facilitates the separation of various electronic identities. I have one
    for professional useage, one for family, another for an Alias or Nym. Much
    easier to separate them through various keys.

    4) Ease of Revocation: If the master passphrase is every compromised, all I
    have to do is issue a single revocation and all subkeys are immediately
    killed.

    The last reason is the control of a very limited resource in this day & age;
    Time & Privacy. By using subkeys, I increase the speed of recognition of
    encrypted/signed data as to it's importance/relevance to my current needs.

+ Reply to Thread