Trouble signing (was: Trouble exporting keys)

Daniel Carrera dcarrera@math.umd.edu
Thu May 15 19:17:02 2003


--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> OK, I'm doing a lot of educated guessing, so if I make any incorrect
> assumptions, let me know.  Here's what I think is going on:

Your educated guesses are all correct.

[snip]
> WHY WHAT YOU WANT TO HAPPEN ISN'T HAPPENING:
> The -u flag (and all other flags which take a KeyID as a parameter) is
> intended to allow you to specify a full PGP key, complete with IDs,
> subkeys, signatures, and all the trimmings.  You can use the primary
> KeyID, a unique piece of any ID string, or any subkey ID.  The effect is
> always the same: pointing out which key on the keyring should be used.=20
> So -u E3CA8FAE is (for better or worse) synonymous with -u 0FEBCEC3.
>=20
> GnuPG's signing behavior is: once it's found a key on the keyring, it
> signs with the most recently created/modified signing subkey attached to
> that key.  In your case, that's the RSA signing subkey.
>=20
> Overriding this default behavior, which is what it seems you'd like to
> do, is accomplished by postfixing the keyID with an exclamation point.=20
> so, -u 0FEBCEC3! means "really sign with my primary key, not my most
> current signing subkey".
>=20
> WHY WHAT YOU'RE TRYING TO DO MIGHT NOT BE WHAT YOU WANT TO DO
> If your goal in having both an RSA and a DSA signing key is to have a
> long-term-secure primary key on which to collect signatures, and a
> standards-compliant day-to-day document-signing DSA key, you've got them
> backwards.  the RSA key should be the primary key, since it can be big,
> and the DSA key should be the signing subkey, since it is trusted by the
> government to sign documents.  This does require that you completely
> revoke your current primary key and start from scratch, though.
>=20
> I hope this helps.
>=20
> --Dennis Lambe

Thank you so much Dennis.  Yes, this helps a great deal.  This is=20
precisely the information I was looking for. =20

I have no problem starting from scratch.  Indeed, it's to do that now=20
since I'm just getting started, instead of later.

I'll revoke my current key later today, and start over with a 4096-bit RSA=
=20
primary signing key.  Later I'll create a 1024-bit DSA key and a 2048-bit=
=20
ElGamal key.  And this will do exactly what I want:

 - Long-term security through the 4096-bit primary key.
 - GPG defaults to DSA for signing.
 - If I ever want more security, I can use ! to sign with the RSA.

Thanks again.

--=20
Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html

--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)

iQEVAwUBPsPL55Muikfjyo+uAQICagf/WwnF1oMezKDo1tLmDZ9BmuI6c6IvgxgN
fQpeEqDbhedW0I5gCmKWh94ByRhDg+6zuGMR1kPG2fbiSYEPvJK+MkyXNSC8yb2T
k+RJmvuZ1RaQTQdRxiQJ709jFYaS77WudG5V5N+mxdQ3hc5O6EN+OxsTcC8mdS6h
Lk22nn+3U/N3EmzjGcIcYEcQr9IYjLjjxpS47O0qpn7EQ29k2a3PeImyHgO6CK0T
RN9wW/VuWEEeG2uN74l/3g4oFCgbxeEaS6l3qNt2PBLVwrJE9SR9e5on7VozFFZE
SjlgbVMxyUzh2z1CtBOTYbzjtZvehQz0ER0EYdl6+/MyP7E3XlRdZQ==
=sLFn
-----END PGP SIGNATURE-----

--a8Wt8u1KmwUX3Y2C--