Trouble signing (was: Trouble exporting keys)
Thu May 15 19:17:02 2003
Content-Type: text/plain; charset=us-ascii
> OK, I'm doing a lot of educated guessing, so if I make any incorrect
> assumptions, let me know. Here's what I think is going on:
Your educated guesses are all correct.
> WHY WHAT YOU WANT TO HAPPEN ISN'T HAPPENING:
> The -u flag (and all other flags which take a KeyID as a parameter) is
> intended to allow you to specify a full PGP key, complete with IDs,
> subkeys, signatures, and all the trimmings. You can use the primary
> KeyID, a unique piece of any ID string, or any subkey ID. The effect is
> always the same: pointing out which key on the keyring should be used.=20
> So -u E3CA8FAE is (for better or worse) synonymous with -u 0FEBCEC3.
> GnuPG's signing behavior is: once it's found a key on the keyring, it
> signs with the most recently created/modified signing subkey attached to
> that key. In your case, that's the RSA signing subkey.
> Overriding this default behavior, which is what it seems you'd like to
> do, is accomplished by postfixing the keyID with an exclamation point.=20
> so, -u 0FEBCEC3! means "really sign with my primary key, not my most
> current signing subkey".
> WHY WHAT YOU'RE TRYING TO DO MIGHT NOT BE WHAT YOU WANT TO DO
> If your goal in having both an RSA and a DSA signing key is to have a
> long-term-secure primary key on which to collect signatures, and a
> standards-compliant day-to-day document-signing DSA key, you've got them
> backwards. the RSA key should be the primary key, since it can be big,
> and the DSA key should be the signing subkey, since it is trusted by the
> government to sign documents. This does require that you completely
> revoke your current primary key and start from scratch, though.
> I hope this helps.
> --Dennis Lambe
Thank you so much Dennis. Yes, this helps a great deal. This is=20
precisely the information I was looking for. =20
I have no problem starting from scratch. Indeed, it's to do that now=20
since I'm just getting started, instead of later.
I'll revoke my current key later today, and start over with a 4096-bit RSA=
primary signing key. Later I'll create a 1024-bit DSA key and a 2048-bit=
ElGamal key. And this will do exactly what I want:
- Long-term security through the 4096-bit primary key.
- GPG defaults to DSA for signing.
- If I ever want more security, I can use ! to sign with the RSA.
Daniel Carrera | OpenPGP fingerprint:
Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3
UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
-----END PGP SIGNATURE-----