Question about signing subkeys

David Shaw dshaw at jabberwocky.com
Fri Oct 28 18:13:24 CEST 2005


On Thu, Oct 27, 2005 at 11:09:45PM -0500, Joe Vender wrote:

> For what reasons would someone use a subkey as the signing key
> instead of using the primary key as the signing key? In other words,
> what are the advantages and disadvantages, if any, of using a subkey
> instead of a primary key for signing?

Advantages:

 * Allows you to keep your primary key offline (a key that isn't there
 is really difficult to compromise either accidentally or not).

 * Allows you to roll your signing key (via expiry or revocation)
 every now and then without losing signatures on your key from other
 people.

 * Allows you to use a different algorithm for signing than you use
 for certification/identity.  For example, using a big RSA key is
 annoying for clearsigning since the signatures are large... but many
 people like using a big RSA key for their primary key because it's
 large.  Using a signing DSA subkey and a big RSA primary is the best
 of both worlds.

Disadvantages:

 * Some keyservers can't handle it.  This isn't too much of a problem
 these days.

David



More information about the Gnupg-devel mailing list