Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:21 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon May 16, 2016 5:06 pm 
Offline

Joined: Sun May 15, 2016 11:33 am
Posts: 5
I did create a master key + 3 subkeys for signing, decrypting, authenticate.
The master key has unlimited validity and is well preserved offline.
The 3 subkeys have a limited expiry date.

On my laptops configured for use with Yubikey it looks like this:
Code:
$ gpg2 --list-keys
/home/x11/.gnupg/pubring.gpg
-----------------------------
pub   4096R/A5XXXXXX 2015-12-31
uid       [ uneing.] x11 <x11@home.de>
sub   4096R/1EXXXXXX 2015-12-31 [verfällt: 2018-12-29]
sub   4096R/B4XXXXXX 2015-12-31 [verfällt: 2018-12-29]
sub   4096R/52XXXXXX 2015-12-31 [verfällt: 2018-12-29]

(Remark: "verfällt" translates to "expires".)
The secrete keys are only stubs which do not show the expiration dates.

My question now:
How do I manage to extend the validity of my subkeys on the Yubikey?
On the offline machine it is quite easy, because all keys are available and the master key has already unlimited lifetime. For obvious reasons I do not want to create a new set of subkeys and transfer them to the Yubikey overwriting the current ones.

Regards,
x11


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue May 17, 2016 2:43 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 27
X11,

you will need to go back to the offline machine with all the keys present and change the expire dates, than copy over the subkeys once again to the YubiKey. I've linked to good source for changing the expire dates on the keys.

http://www.g-loaded.eu/2010/11/01/chang ... e-gpg-key/


Top
 Profile  
Reply with quote  
PostPosted: Tue May 17, 2016 11:35 am 
Offline

Joined: Sun May 15, 2016 11:33 am
Posts: 5
mattlegitt,

thanks for your quick reply, which will cause quite a lot of actions to extend the lifetime of the subkeys including transfer to the Yubikey.
I was hoping that the "expiry information" is only contained in the public key which is distributed i.e via key servers and that the secret subkeys on the Yubikey remain unchanged.

I have now searched for additional information on how the whole expiry thins work and found this blog:
https://blog.josefsson.org/2014/08/26/t ... /#more-782
The last 2 replies to that post might indicate that my asumption probably works.
It states
Quote:
You only need the master key to update the expiration time of all master and subkeys.

This would mean that I only have to extend the expiry date of the subkeys on the offline-machine and after that just distribute the updated public key (with other words: I do not have to do anything with my Yubikey).

Is that correct - or do I miss anything?

Regards,
x11


Top
 Profile  
Reply with quote  
PostPosted: Wed May 18, 2016 7:36 pm 
Offline

Joined: Sun May 15, 2016 11:33 am
Posts: 5
So, I now tested the whole procedure with a dummy key in a VM. What I have seen so far is:

1. to update expiry date of subkeys requires the master-key.
2. I could not test what happens if I only have the master-key without the subkeys present, because I was not able to delete only the subkeys.
3. expiry of subkeys can be atlered induvidially for each subkey (master-key present).
4. comparing the exported subkeys (gpg --export-secrete-subkeys) before and after the change shows same filesize, but differences in content (binary compare).

Taking the result from 4) indikates that the subkeys on the Yubikey most probably have to be updated (despite the cryptographic information remains the same and only "meta-data" are changed). Which data/part of the subkeys finally is stored in the Yubikey and what remains/sits in the stubs I do not know. That probably is handled by the pgp-applet within the Yubikey.

This arises another question:
Can that update process be performed directly with the Yubikey (with the 3 subkeys) attached to the laptop if just for that action I temporarly import the master-key on it?

Or do I really have perform the change on the offline PC with the complete key and afterwards transfer the subkeys one by one th the Yubikey (gpg> keytocard)?

Regards,
x11


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group