implications of subkeys?

Steve Butler sbutler@fchn.com
Fri Mar 1 18:10:01 2002


Hmm.  This whole thread started because of somebody's desire to secure =
their
home communication versus their work site communication.  It really has=
 been
a learning experience.  Your and David's helpful comments throughout th=
is
process have shed a lot of light.  So, if I have read everything correc=
tly,
it sounds like the general consensus is:
*  Have one signing only key pair -- the master set (most likely DSA of=

appropriate strength for long term usage).
*  Have one encryption sub-key (until most keyservers understand and
correctly handle multiple sub-keys) that is changed every so often.
*  Expose only the session-level key if possible when given a court ord=
er
(with appropriate legal counsel).
*  If must expose the encryption sub-key, then generate a new pair for
future use (and change it more often) and revoke the prior sub-key pair=
,

I guess this still doesn't answer the one individual's concern about wa=
nting
to have business and personal encryption different in case a court orde=
r
forced exposure of one or the other key.  Sounds like we need to wait f=
or
updates to the keyservers.




-----Original Message-----
From: Janusz A. Urbanowicz [mailto:alex@bofh.torun.pl]
Sent: Friday, March 01, 2002 8:12 AM
To: Steve Butler
Cc: 'David Shaw'; GnuPG Users
Subject: Re: implications of subkeys?


Steve Butler wrote/napisa=B3[a]/schrieb:

> The more comments I read, the closer I come to believing the best bet=
 is a
> key set for work and a totally separate key set for home.  Or more
> precisely, a personal set and a business set.

Don't do this. I did this once and still regret (my experiences with 'l=
egacy
v3 key' are a dim echo of this past). It complicates your web of trust
position, you have two set of user-ids to gather signatures, you never =
know
if your correspondent has the right key on and generally the hassle is
significant. And significantly bigger than for single key.

Alex
-- 
C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |       =
  |   *

 ; (_O : +-------------------------------------------------------------=
+
--+~|	
 ! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem =
ka=BFde z=B3o |
l_|/	
A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF =
po dno;     |   |


CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments=
, is for the sole use of the intended recipient(s) and may contain conf=
idential and privileged information.  Any unauthorized review, use, dis=
closure or distribution is prohibited.  If you are not the intended rec=
ipient, please contact the sender by reply e-mail and destroy all copie=
s of the original message.