Haelwenn /элвэн/ :triskell: on Nostr: #[0] Rotating actually used OpenPGP keys is just too painful to do as regularly as it ...
Adolph (npub17eh…94rr) Rotating actually used OpenPGP keys is just too painful to do as regularly as it should be (ie. OpenBSD rotates their signify keys at each release, so 6 months with each current key signing the next one. Meanwhile it's not rare to see 20+ years old OpenPGP keys). Even just for subkeys and specially now that keyservers seem to still be in limbo after they got pretty much breached.
Rotating the identity key means effectively changing all the configurations / account settings / manually pinging people quite like changing of phone number (which is why for me identity keys are a mistake from pre-web / pre-modern-crypto era).
Meanwhile ssh is just a matter of launching ssh-copy-id and x509 (as used by HTTPS) pretty much support blind key rotation.
As for Nitrokey I think Start is a good default, which you can make tamper resistant with a basic seal and get the features of the others (passwords, OTP, storage, …) via much less limited software (pass(1), pass-otp, LUKS, …) instead.
Rotating the identity key means effectively changing all the configurations / account settings / manually pinging people quite like changing of phone number (which is why for me identity keys are a mistake from pre-web / pre-modern-crypto era).
Meanwhile ssh is just a matter of launching ssh-copy-id and x509 (as used by HTTPS) pretty much support blind key rotation.
As for Nitrokey I think Start is a good default, which you can make tamper resistant with a basic seal and get the features of the others (passwords, OTP, storage, …) via much less limited software (pass(1), pass-otp, LUKS, …) instead.