Separate passphrase for subkeys (was: New GnuPG snapshot)

David Shaw dshaw at jabberwocky.com
Mon Sep 10 15:15:02 CEST 2001


On Mon, Sep 10, 2001 at 10:30:50AM +0200, disastry at saiknes.lv.NO.SPaM.NET wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> David Shaw wrote:
> > Someone pointed out to me once that a pleasant side effect of
> > separated keys was that in some places, the Big Scary Gov't could
> > force you to reveal an encryption key, but not an authentication key.
> > If you used the same key for both, then you are out of luck.
> > 
> > (IANAL, YMMV, and I don't recall where "some places" are.)
> > David
> 
> so you have to have separate passphrase for signing key and
> encryption subkey.

Not necessarily.  I'm talking about a case where the gov't can legally
ask for your key.  Don't just give them the passphrase: do a
--export-secret-subkeys onto a floppy, delete any subkeys they didn't
ask for, change the passphrase and hand that over.

> AFAIK GnuPG can't change subkey's passphrase separately from key's
> passphrase (at least not in east way). this would be a very useful feature...
> (yes I know about export-secret-subkeys option, but this
> would be a very useful feature anyway)

Yes it would be pretty neat.

David

-- 
   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 536 bytes
Desc: not available
Url : /pipermail/attachments/20010910/a17ccfc9/attachment.bin


More information about the Gnupg-devel mailing list