gnupg and subkeys

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Wed Jan 8 21:36:01 2003


--=-v3a5M5PwSIkg3QK8RTBO
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2003-01-08 at 20:58, Werner Koch wrote:
> On Wed, 8 Jan 2003 14:24:46 -0500, David Shaw said:
>=20
> > Given secret key A, with subkeys A1 and A2, if you import "A+A1", you
> > can not then import "A+A2" to create "A+A1+A2".  You can only do that
> > with public keys.  For secret keys, you need to use gpgsplit and
> > manually assemble "A+A1+A2" for import.

Exactly.

> Should we really fix this.  This requires a complex secret key
> management and thus it is insecure.  There is nothing you gain from
> splitting you secret keyparts to several files.  I think it is far
> better to have just one master copy with the key and export the
> subkeys you require. =20

For me, it's not urgent. I do indeed have a complete master key - and I
warn about this issue in my subkeys HOWTO.

> An enhanced --export-secret-subkeys command where you can specify
> which subkeys to export would indeed be useful.

Looking forward to it, then :-)

(Sorry, no, I won't be coding this myself.)

cheers
-- vbi

--=20
this email is protected by a digital signature: http://fortytwo.ch/gpg

--=-v3a5M5PwSIkg3QK8RTBO
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iHMEABECADMFAj4ci/YsGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjIACgkQi6Qxi+Wn99ZiaQCgyDxLCnkYbkGPZUv/3KSaOoSnL8wA
nj1R8eIsluiHBCDDdJDtFpD0QJNJ
=mxHx
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822

--=-v3a5M5PwSIkg3QK8RTBO--