On Mon, Jan 04, 2010 at 08:59:16PM +0100, Vincent Danjean wrote: > Hi, > > My main gpg public key seams to be a 1024 DSA key (1024D/9D025E87). > I would like to have a more robust main key. I've created to 4096 RSA > subkey to sign and encrypt. > > However, is there a way to switch my main key ? (ie to create a new > one and change it without loosing all my other keys and signatures).
Nope. RFC 4880 specifies that signatures over User IDs hash the key data; otherwise, I could create a key (over which you have no control) with your User ID and have all of your signatures validate on my spoofed key. If you have a signing subkey, the only thing that the main key is used for[0] is signing key data: User IDs (yours and others') and subkeys. Signing subkeys will be used for signing all data. > The immediate "solution" is to create a separate new (main) key, > sign it and make it signed by other DD and then ask for it to be added > in Debian keyring. > But perhaps gpg guru¹ would have better suggestions ? If you believe that your main key is sufficiently secure for the limited purposes for which it will be used, then just create subkeys for encryption and signing. If you do not, then you should create a new main key. For maximum long-term security, I recommend a 3072-bit DSA key (preferably with SHA-512) or a 4096-bit RSA key. Note that you can cross-sign your keys with trust signatures such that people trusting your old key will implicitly trust signatures made with your new one. You can see such an example from my old key (0x560553e7) to my new one (0x0223b187). > ¹: does anyone know if it is possible to extract a subkey from a gpg > key and add it to another gpg key ? It is possible. I don't believe that there are any tools that provide that functionality, though. [0] This is only true for v4 keys, but they are the only ones that have the main key/subkey distinction. GnuPG cannot create v3 keys, but it can use them. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
