Advice for Web of Trust policy

Dany Nativel dany_list at
Sun Feb 20 01:19:49 CET 2005


I've been playing around with the OpenPGP card and I'm now ready to go 
live. I'd like to get into the web of trust but I don't know which way 
to go :

1) Like most GnuPG users, dedicated off-line signing key for signing 
other people's keys and my subkeys
pros :
- not connected... that says all!

- doesn't prevent from keyboard logger (passphrase)
- signing key can be physically duplicated (brute force attack possible)

2) OpenPGP card for both signing and encrypting
pros :
- One card for both web of trust and everyday's encryption/signing
- Not easy to duplicate key's secret material (but not impossible though ;))
- No complex passphrase to rememeber + automatic lock-down after 3 attempts
- Easier to use with services like because the signing key 
is linked to an email address and also has an encryption subkey. Some 
people will only give you a cert level 2 if the key is only a signing key.

- Card is going to be used on a machine connected to the Internet.

How is my policy (single OpenPGP card for everything) going to be 
accepted by the community ?
Is this going to be seen as a threat to the web of trust ?

Maybe I can get the advantage of 1) by only signing other people's keys 
with OpenPGP SmartCard, a LiveCD and no network)

Thanks for your feedback
Best regards

More information about the Gnupg-users mailing list