[17:33] <ahasenack_> hi #security, do you have a good document outlining best practices for gpg keys? Considering subkeys
[17:33] <ahasenack_> I know of https://github.com/drduh/YubiKey-Guide which talks a lot about subkeys
[17:37] <Montresor> About all I can tell you is "Don't generate a 2048 key and store it in Dropbox" :>
[17:37] <ahasenack_> check
[17:37]  * ahasenack_ reads https://wiki.debian.org/Subkeys
[17:38] <Montresor> ed25519 keys sounded interesting, but considering how hard it is to get a key signed...I'd be sticking with mine untilI absolutely can't.  I realize of course this doesn't help at all.
[17:41] <ahasenack_> what has ed25519 got to do with being hard to sign?
[17:42] <ahasenack_> or you mean, if you were to change your key, you would have to work hard to get all the signatures again?
[17:43] <Montresor> The latter, any new key is a hard no.
[17:43] <ahasenack_> that's the kind of best practice I'm looking for too. It's my vague understanding that with subkeys that is not a problem, you can rotate the subkeys, and you don't lose the signatures which were done on the parent key, or something like that
[17:43] <Montresor> Which would be good, yeah.
[17:44] <ahasenack_> Montresor: oh, you are unit193
[17:44] <ahasenack_> what happened? :)
[17:44] <Montresor> It's Halloween, so to Poe we go.
[17:44] <ahasenack_> aha
[17:44] <Montresor> (I'll be JackFrost for the winter/Christmas too.)
[18:20] <amurray> ahasenack_: we don't have any great documentation around gpg - probably the best is https://wiki.ubuntu.com/SecurityTeam/GPGMigration but that is quite old now
[18:21] <ahasenack_> ok