Trouble signing (was: Trouble exporting keys)
Daniel Carrera
dcarrera@math.umd.edu
Thu May 15 19:17:02 2003
--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> OK, I'm doing a lot of educated guessing, so if I make any incorrect
> assumptions, let me know. Here's what I think is going on:
Your educated guesses are all correct.
[snip]
> WHY WHAT YOU WANT TO HAPPEN ISN'T HAPPENING:
> The -u flag (and all other flags which take a KeyID as a parameter) is
> intended to allow you to specify a full PGP key, complete with IDs,
> subkeys, signatures, and all the trimmings. You can use the primary
> KeyID, a unique piece of any ID string, or any subkey ID. The effect is
> always the same: pointing out which key on the keyring should be used.=20
> So -u E3CA8FAE is (for better or worse) synonymous with -u 0FEBCEC3.
>=20
> GnuPG's signing behavior is: once it's found a key on the keyring, it
> signs with the most recently created/modified signing subkey attached to
> that key. In your case, that's the RSA signing subkey.
>=20
> Overriding this default behavior, which is what it seems you'd like to
> do, is accomplished by postfixing the keyID with an exclamation point.=20
> so, -u 0FEBCEC3! means "really sign with my primary key, not my most
> current signing subkey".
>=20
> WHY WHAT YOU'RE TRYING TO DO MIGHT NOT BE WHAT YOU WANT TO DO
> If your goal in having both an RSA and a DSA signing key is to have a
> long-term-secure primary key on which to collect signatures, and a
> standards-compliant day-to-day document-signing DSA key, you've got them
> backwards. the RSA key should be the primary key, since it can be big,
> and the DSA key should be the signing subkey, since it is trusted by the
> government to sign documents. This does require that you completely
> revoke your current primary key and start from scratch, though.
>=20
> I hope this helps.
>=20
> --Dennis Lambe
Thank you so much Dennis. Yes, this helps a great deal. This is=20
precisely the information I was looking for. =20
I have no problem starting from scratch. Indeed, it's to do that now=20
since I'm just getting started, instead of later.
I'll revoke my current key later today, and start over with a 4096-bit RSA=
=20
primary signing key. Later I'll create a 1024-bit DSA key and a 2048-bit=
=20
ElGamal key. And this will do exactly what I want:
- Long-term security through the 4096-bit primary key.
- GPG defaults to DSA for signing.
- If I ever want more security, I can use ! to sign with the RSA.
Thanks again.
--=20
Daniel Carrera | OpenPGP fingerprint:
Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3
UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html
--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
iQEVAwUBPsPL55Muikfjyo+uAQICagf/WwnF1oMezKDo1tLmDZ9BmuI6c6IvgxgN
fQpeEqDbhedW0I5gCmKWh94ByRhDg+6zuGMR1kPG2fbiSYEPvJK+MkyXNSC8yb2T
k+RJmvuZ1RaQTQdRxiQJ709jFYaS77WudG5V5N+mxdQ3hc5O6EN+OxsTcC8mdS6h
Lk22nn+3U/N3EmzjGcIcYEcQr9IYjLjjxpS47O0qpn7EQ29k2a3PeImyHgO6CK0T
RN9wW/VuWEEeG2uN74l/3g4oFCgbxeEaS6l3qNt2PBLVwrJE9SR9e5on7VozFFZE
SjlgbVMxyUzh2z1CtBOTYbzjtZvehQz0ER0EYdl6+/MyP7E3XlRdZQ==
=sLFn
-----END PGP SIGNATURE-----
--a8Wt8u1KmwUX3Y2C--