most convenient key type?
Brian M. Carlson
Sat Aug 17 07:00:02 2002
Content-Type: text/plain; charset=us-ascii
On Fri, Aug 16, 2002 at 03:47:15PM -0400, David Shaw wrote:
> On Fri, Aug 16, 2002 at 07:07:33PM +0000, Brian M. Carlson wrote:
> > On Fri, Aug 16, 2002 at 10:38:02AM -0400, David Shaw wrote:
> > > One possible solution is to do what I did: a RSA primary key, with an
> > > Elgamal encryption subkey and a DSA signing subkey. The RSA primary
> > > can be whatever size you like and is used for signing the subkeys
> > > (note that using a big primary key generally makes the hash the weak
> > > point). This works well with the GnuPG feature to use a secret key
> > > without a primary. I keep my large primary offline, and use the two
> > > subkeys for actual work.
> > I liked what you did, so I created something similar for my laptop key.=
> > have a primary key, which signs subkeys, a data signing subkey, a key
> > signing subkey, and an encryption subkey. However, the key signing subk=
> > doesn't sign keys, making it very useless. If this is unavailable,
> > consider this a wishlist bug. If this is available, please tell me how I
> > can get it to work, as I've tried everything, including -u DEADBEEF! .
> It actually used to be available, but was removed. The main reason is
> that the web of trust is currently built via signatures from and on
> primary keys only. Subkeys making key signatures would split the web
> of trust into the PGP half (primary keys only) and the GnuPG half
> (primary + subkeys).
If you don't mind, I'd very much like it back. It doesn't violate the RFC
(or its successors) so it's really PGP's problem that it doesn't comply
with the RFC in accepting such signatures. My rationale is that because
this key is for a laptop, and laptops are more likely to get stolen than
desktops, thus compromising the key, I can simply revoke the subkeys, and
keep the primary key, which would be on my desktop. Of course, since I
don't do that much key signing, I *could* use the primary key on my
desktop, but then I'd use my regular key, right?
If you'd like, you could even require --expert to use it.
Brian M. Carlson <email@example.com> <http://decoy.wox.org/~bmc> 0x560553=
"I never met a man I couldn't drink handsome."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.
-----END PGP SIGNATURE-----
Signature policy: http://decoy.wox.org/~bmc/openpgp/policy.tex