PGP key or subkey? What about the expiration?

[blisscan]

Hi,

I have generated a PGP key. Now, if I want to use it for signatures and authentication, should I use the master key or a subkey? My understanding is that it is better a subkey, but I am not sure.

Another question: When I generated the key, I set an expiration date of 30 days. Is this okay? What is the common practice regarding the expiration?

Thanks

[brom]

It really depends on how often you wish to generate a new key.  For example, lets say you have 5 friends you wish to talk to; all of them would need a copy of your PGP public key (never give anyone your private key).  In this scenario, you may choose to not even have an expiration, to alleviate constant regeneration and resharing of keys.  The function of expiration, is to invalidate the keys after a certain duration of time; for most general usage, you may want the key valid for at least a year.  Also ensure you are using a 4096 RSA AES key; anything less is impractical.

[blisscan]

I checked some random addresses here:
http://bitcoin-otc.com/viewgpg.php

And no one seems to use subkeys or expiration dates ... I am afraid that I might have trouble when my key expires ...

I'll wait a bit to see if some expert can provide detailed information. Otherwise I'll just do what the others do.

[Foxpup]

By default, the master key is used for signing and verifying signatures, and a single subkey is used for encryption and decryption. Note that your software will manage this automatically, and you shouldn't be messing with subkeys unless you know what you're doing.

30 day expiration is extremely short. At least a year is more common, if an expiration date is set at all. In any case, just before your key expires, you will need to create a new key and sign it with the old key (the signature proving to anyone using your old key that the new key is a genuine replacement and not, say, a MITM attack).

[blisscan]

By default, the master key is used for signing and verifying signatures, and a single subkey is used for encryption and decryption. Note that your software will manage this automatically, and you shouldn't be messing with subkeys unless you know what you're doing.

30 day expiration is extremely short. At least a year is more common, if an expiration date is set at all. In any case, just before your key expires, you will need to create a new key and sign it with the old key (the signature proving to anyone using your old key that the new key is a genuine replacement and not, say, a MITM attack).

Thanks for your detailed information. I wanted a key to participate in bitcoin-otc, the web of trust and, in general, to sign my messages. Apparently I ended up with two different keys:

Code:

pub   4096R/3EAE300E 2013-09-07 [expires: 2013-10-07]
uid                  Bliss Can <blisscan@safe-mail.net>
sub   4096R/9985AEB1 2013-09-07 [expires: 2013-10-07]

I guess that the right thing to do is to use the subkey for day-to-day activities and keep the master key in a safe and use it only to generate subkeys. The thing is that the documentation that I could find
http://wiki.bitcoin-otc.com/wiki/GPG_authentication
does not mention anything about subkeys, and that is the origin of the confusion.

[Foxpup]

I guess that the right thing to do is to use the subkey for day-to-day activities and keep the master key in a safe and use it only to generate subkeys.

No, the master key and subkey(s) are part of the same key. Do not attempt to separate them and do not attempt to create additional subkeys unless you know what you're doing.

The thing is that the documentation that I could find
http://wiki.bitcoin-otc.com/wiki/GPG_authentication
does not mention anything about subkeys, and that is the origin of the confusion.

It doesn't mention them because they're handled automatically. There should be no confusion as you never need to deal with them.

[blisscan]

Thanks again again for the explanation!