forwarded message from Joe Rhett

Werner Koch wk at gnupg.org
Fri Apr 27 14:09:01 CEST 2001


On Fri, 27 Apr 2001, Nils Ellmenreich wrote:

> is there someone who can help Joe and (if necessary) provide an update
> for the FAQ?

> Date: Thu, 26 Apr 2001 23:47:15 -0700
> From: Joe Rhett <jrhett at isite.net>


> appear to work properly.  The --export-secret-subkeys appears to remove the
> secret part of the key (manpage documents this) which makes signing
> impossible.

Yes.  This is the whole point with --export-secret-subkey.  

Without the secret primary key you can't add a new key, revoke one
etc.  So if your box gets compromised the cracker can "only" use the
subkey to decrypt all messages encrypted to this subkey.

The procedure after such a compromisation or at times when you want
to change certain properties of the key (say, to change the
encryption key to get some forward secrecy), you have to do this
with the main copy of the key which of course should not be stored
on the automated box.

Ciao,

  Werner

-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus





More information about the Gnupg-devel mailing list