implications of subkeys?
Fri Mar 1 18:10:01 2002
Hmm. This whole thread started because of somebody's desire to secure =
home communication versus their work site communication. It really has=
a learning experience. Your and David's helpful comments throughout th=
process have shed a lot of light. So, if I have read everything correc=
it sounds like the general consensus is:
* Have one signing only key pair -- the master set (most likely DSA of=
appropriate strength for long term usage).
* Have one encryption sub-key (until most keyservers understand and
correctly handle multiple sub-keys) that is changed every so often.
* Expose only the session-level key if possible when given a court ord=
(with appropriate legal counsel).
* If must expose the encryption sub-key, then generate a new pair for
future use (and change it more often) and revoke the prior sub-key pair=
I guess this still doesn't answer the one individual's concern about wa=
to have business and personal encryption different in case a court orde=
forced exposure of one or the other key. Sounds like we need to wait f=
updates to the keyservers.
From: Janusz A. Urbanowicz [mailto:firstname.lastname@example.org]
Sent: Friday, March 01, 2002 8:12 AM
To: Steve Butler
Cc: 'David Shaw'; GnuPG Users
Subject: Re: implications of subkeys?
Steve Butler wrote/napisa=B3[a]/schrieb:
> The more comments I read, the closer I come to believing the best bet=
> key set for work and a totally separate key set for home. Or more
> precisely, a personal set and a business set.
Don't do this. I did this once and still regret (my experiences with 'l=
v3 key' are a dim echo of this past). It complicates your web of trust
position, you have two set of user-ids to gather signatures, you never =
if your correspondent has the right key on and generally the hassle is
significant. And significantly bigger than for single key.
C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | =
; (_O : +-------------------------------------------------------------=
! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem =
ka=BFde z=B3o |
A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF =
po dno; | |
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments=
, is for the sole use of the intended recipient(s) and may contain conf=
idential and privileged information. Any unauthorized review, use, dis=
closure or distribution is prohibited. If you are not the intended rec=
ipient, please contact the sender by reply e-mail and destroy all copie=
s of the original message.