best way to stucture a new personal key?
Adrian 'Dagurashibanipal' von Bidder
Tue Nov 12 09:24:02 2002
On Tue, 2002-11-12 at 02:01, savanna wrote:
> I'm about to create a new personal key (in my realname) - just wondering
> about the best way to do this... My question is not about how to do it,
> but what to do.
> I was thinking of creating a key under gpg with keylength 2048, no expiry=
> subkeys with 2 years (say) expiry for my different email addresses. Is
> this the best way?
> Also, which public key do I get signed at keysigning parties - my main
> one, or a subkey?
Keys are always signed with the primary.
My personal key policy is: have one signing subkey per account; and have
the primary only on my home machine which I consider secure enough (the
machine doesn't run all the time and is behind a masquerading firewall).
Expiry: I've set 10 years on the primary, 5 years on the subkeys. As
long as I feel the key is still secure, I will manage this as a 'sliding
window' and extend the validity frame after a few years.
You may have seen my subkeys howto at http://fortytwo.ch/gpg/subkeys
(although it's a 'HOWTO', you can also extract information about why).
The most important things about subkeys:
- encryption subkeys: don't bother to have more than one encryption
subkeys (except old expired/revoked ones, of course). You can't tell the
senders of encrypted messages which encryption subkey to use (of course,
if you're encrypting documents for yourself, you gotta chose).
- keyservers: most keyservers can't handle keys with multiple subkeys.
And even on those that can, automatic retrieval of the key is not
possible yet, as the subkey ids are not indexed (gpg can't know the
keyid of the primary when it gets a subkey signature).
- interoperating with PGP: iirc it doesn't work. Test yourself.
this email is protected by a digital signature: http://fortytwo.ch/gpg
NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----