forwarded message from Joe Rhett

Werner Koch wk@gnupg.org
Fri Apr 27 13:09:01 2001


On Fri, 27 Apr 2001, Nils Ellmenreich wrote:


> is there someone who can help Joe and (if necessary) provide an update
> for the FAQ?

> Date: Thu, 26 Apr 2001 23:47:15 -0700
> From: Joe Rhett <jrhett@isite.net>

> appear to work properly. The --export-secret-subkeys appears to remove the
> secret part of the key (manpage documents this) which makes signing
> impossible.
Yes. This is the whole point with --export-secret-subkey. Without the secret primary key you can't add a new key, revoke one etc. So if your box gets compromised the cracker can "only" use the subkey to decrypt all messages encrypted to this subkey. The procedure after such a compromisation or at times when you want to change certain properties of the key (say, to change the encryption key to get some forward secrecy), you have to do this with the main copy of the key which of course should not be stored on the automated box. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus