most convenient key type?

Brian M. Carlson karlsson@hal-pc.org
Sat Aug 17 07:00:02 2002


--IMjqdzrDRly81ofr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 16, 2002 at 03:47:15PM -0400, David Shaw wrote:
> On Fri, Aug 16, 2002 at 07:07:33PM +0000, Brian M. Carlson wrote:
> > On Fri, Aug 16, 2002 at 10:38:02AM -0400, David Shaw wrote:
> > > One possible solution is to do what I did: a RSA primary key, with an
> > > Elgamal encryption subkey and a DSA signing subkey.  The RSA primary
> > > can be whatever size you like and is used for signing the subkeys
> > > (note that using a big primary key generally makes the hash the weak
> > > point).  This works well with the GnuPG feature to use a secret key
> > > without a primary.  I keep my large primary offline, and use the two
> > > subkeys for actual work.
> >=20
> > I liked what you did, so I created something similar for my laptop key.=
 I
> > have a primary key, which signs subkeys, a data signing subkey, a key
> > signing subkey, and an encryption subkey. However, the key signing subk=
ey
> > doesn't sign keys, making it very useless. If this is unavailable,
> > consider this a wishlist bug. If this is available, please tell me how I
> > can get it to work, as I've tried everything, including -u DEADBEEF! .
>=20
> It actually used to be available, but was removed.  The main reason is
> that the web of trust is currently built via signatures from and on
> primary keys only.  Subkeys making key signatures would split the web
> of trust into the PGP half (primary keys only) and the GnuPG half
> (primary + subkeys).

If you don't mind, I'd very much like it back. It doesn't violate the RFC
(or its successors) so it's really PGP's problem that it doesn't comply
with the RFC in accepting such signatures. My rationale is that because
this key is for a laptop, and laptops are more likely to get stolen than
desktops, thus compromising the key, I can simply revoke the subkeys, and
keep the primary key, which would be on my desktop. Of course, since I
don't do that much key signing, I *could* use the primary key on my
desktop, but then I'd use my regular key, right?

If you'd like, you could even require --expert to use it.

--=20
Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553=
E7
QOTD:
	"I never met a man I couldn't drink handsome."

--IMjqdzrDRly81ofr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQFKBAEBAwA0BQI9XdiOLRpodHRwOi8vZGVjb3kud294Lm9yZy9+Ym1jL29wZW5w
Z3AvcG9saWN5LnRleAAKCRDlkf/JVgVT5754B/9L1GjFdZa1VJvQ+Xb2yqs4GrYZ
/bDGmhxLdFE9NRKZC1UBDKQefBWKcKYPyLAOGiHxR9eaF2s3sl/B5XmJ0t9f5mJp
JCx+edwDo18djQ4p+wrA1bA7Fz/5d7a/9/bB7xFO2njr5RNR2XG7Dfbu6YN+5MmM
35QfplQbWMnBSM7R4a06un8DzdI2+8StoXWFHW/EoI7gKHFlmHiMVyg8NRqHjSfU
Q4TpyERu4/q0qBVO1DJrPMrC+nzFoOqOYiflLxSDVSr8B76iBPqZ/8P4FDfMFeIn
pgJ2HnxRmSna+2ImosqtWTf78AAHJbSrAuqV3cfItIC/hFTJJApZsGaVcdie
=fwPT
-----END PGP SIGNATURE-----
Signature policy: http://decoy.wox.org/~bmc/openpgp/policy.tex

--IMjqdzrDRly81ofr--