Multiple sub-signingkeys

Per Tunedal pt@radvis.nu
Sat Apr 26 21:14:02 2003


Hi,
Finally I hope that I have understood what Adrian von Bidder tells on his 
page about using multiple subkeys:

http://fortytwo.ch/gpg/subkeys/


It is possible to use a "crippled" key without the secret primary signing 
key if an other secret signing key is present. Only the public primary 
signing key is needed. When listing the secret keys the primary key with 
missing secret key is market with #.

"your primary secret key should be marked with a '#':

$ gpg --list-secret-key testuser
sec# 1024D/971B7A70 2003-01-03 testuser <testuser@mydomain.foo>
ssb  1024g/ACDF80C4 2003-01-03
ssb  1024R/BE9CA308 2003-01-07"

This crippled key can be used on an insecure computer, while your complete 
key can be used on a secure computer. When listing secret keys for the 
original key the primary key is shown without the #.

You can thus easily see what secret keys are present in each keyring.

(If I am right it might be a good idea to emphasize this on your page, Adrian!)

I find Adrians advice very useful. Why isn't it easier to do it?

(I have tried to do it with WinPT and it works OK. But I cannot see what 
secret keys are present neither with WinPT, nor with GPGrelay.)

Have I missed something?

Per Tunedal

PS I have previous tried using multiple encryption keys in a similar manner 
without success ...