Why 2.1 is delayed for so long
infinity0 at pwned.gg
Tue Sep 23 15:25:15 CEST 2014
On 23/09/14 13:58, Werner Koch wrote:
> On Tue, 23 Sep 2014 12:14, infinity0 at pwned.gg said:
>> "Two subkeys are the exception" because it's not the default and
>> people don't know better. If it were made the default, it would become
>> the norm. What is the disadvantage to having two subkeys?
> Let's first ask ourselves what is the advantage of it? I know only one
> use case for a signing subkey which is to use the primary key only on an
> offline machine.
Yes, this is the use-case. It's clearer architecturally. Longer-term benefits include not accidentally using the master key for signing, for a naive program that has access to your master key. If you prefer "less keys", why not default to Certify+Sign+Authenticate? I am not sure Certify+Sign makes sense from any position.
>> user] to do [X]". However, if you keep making arguments like this, the
>> overall effect is that a typical user has to tweak a lot of things to
>> get a maximal level of security, which is not good usability-wise.
> The typical user shall use the defaults. If you don't like the
> defaults, please distribute your own modified version of the software.
You are being hasty and this is extremely unproductive logic. We are talking about what the defaults *should be*. You know that it's extremely costly to distribute a fork; I start at a disadvantage if I want to test the validity of my ideas in the market. Your ultimatum is about as short-sighted as saying "if you don't like the laws, get out of the country".
>> Another suggestion is, a revocation certificate should be
>> automatically generated when a key is generated, with clear
>> instructions on the user what to do with it.
> Didn't you noticed the ~/.gnupg/openpgp-revocs.d ?
No, I did not. If you expect people to notice this, you should mention this when a key is generated, and also in the man page.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel