best way to stucture a new personal key?

Adrian 'Dagurashibanipal' von Bidder
Tue Nov 12 09:24:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2002-11-12 at 02:01, savanna wrote:
> I'm about to create a new personal key (in my realname) - just wondering
> about the best way to do this... My question is not about how to do it,
> but what to do.
> I was thinking of creating a key under gpg with keylength 2048, no expiry=
, then
> subkeys with 2 years (say) expiry for my different email addresses. Is
> this the best way?
> Also, which public key do I get signed at keysigning parties - my main
> one, or a subkey?


Keys are always signed with the primary.

My personal key policy is: have one signing subkey per account; and have
the primary only on my home machine which I consider secure enough (the
machine doesn't run all the time and is behind a masquerading firewall).

Expiry: I've set 10 years on the primary, 5 years on the subkeys. As
long as I feel the key is still secure, I will manage this as a 'sliding
window' and extend the validity frame after a few years.

You may have seen my subkeys howto at
(although it's a 'HOWTO', you can also extract information about why).

The most important things about subkeys:
 - encryption subkeys: don't bother to have more than one encryption
subkeys (except old expired/revoked ones, of course). You can't tell the
senders of encrypted messages which encryption subkey to use (of course,
if you're encrypting documents for yourself, you gotta chose).
 - keyservers: most keyservers can't handle keys with multiple subkeys.
And even on those that can, automatic retrieval of the key is not
possible yet, as the subkey ids are not indexed (gpg can't know the
keyid of the primary when it gets a subkey signature).
 - interoperating with PGP: iirc it doesn't work. Test yourself.


-- vbi

this email is protected by a digital signature:

NOTE: keyserver bugs! get my key here:

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)