Skip to content

Should we allow generating new keys in `sop update-key[s]`?

The discussion with @dkg and @hkos in dfbc37ef (comment 2099611663) raised another question for me, namely: should we allow sop update-key[s] (without the --no-{new,added}-{mechanisms,capabilities,functionality} flag) to return more TSKs than it receives? For example, if you pass a v4 key, we could return a v4 key + a v6 key (with the same User IDs), bound together using @andrewgdotcom's replacement key subpacket?

That way, you can use sop update-key[s] to manage your entire "private keyring", so to speak, without having to proactively decide whether it's needed to generate a new key or not.

(Perhaps it might then also make sense to go back to plural update-keys?)


Somewhat similarly, perhaps sop generate-key[s] should be allowed to generate two keys, a v4 and a v6 one, again bound together with a replacement key subpacket?

Edited by Daniel Huigens