Keytypes and changing them

David Shaw dshaw at
Tue Nov 8 14:24:16 CET 2005

On Tue, Nov 08, 2005 at 12:27:13PM +0100, Christoph Anton Mitterer wrote:
> Hi folks!
> Ok,.. I know that you can set at least the following flags to specify 
> the purpose of a key:
> A - authorsation
> C - certification
> E - encryption
> S - signation
> Ok,.. as far as I understood, if a key is C-only that this indicates 
> that it is used solely for signing other keys, but not for signing 
> normal data, correct?
> Ok,.. I thought about that and came to the result - correct me if I'm 
> wrong - that it would be more secure to use the primary key only for 
> certificating other keys (and of course for self-sigs).
> Ok my current key looks like the following:
> primary: CS, RSA-S, 4096 bit
> secondary: E, ElGamal, 4096 bit
> So I think it would be better to have the following:
> primary: C, RSA-S, 4096 bit
> secondary: S, RSA-S, 4096 bit
> secondary: E, ElGamal, 4096 bit
> Ok...
> 1) Is it advisable at all?

Yes.  Many people do it this way, including myself.  It's not actually
an RSA-S key (that's deprecated), but a regular RSA key with the S
flag set.  However, you don't actually want to change the primary from
CS to C.

> 2) Can I change this with GPG (without having to create a new key, of 
> course)?
> 3) If not: Is this function going to be intruduced in GPG the next time?
> 4) If not: How could I do that else?

You can add a signing subkey any time you like.  This doesn't flip
your primary CS key into a C only key, but that doesn't matter much.
If GnuPG sees you have a signing subkey, it will always choose it in
favor of the primary key when making a signature.

You don't want a C only primary key because if you go to a key signing
party, you may be asked to sign a challenge to prove you own your key.
This challenge must be signed with the primary key to be valid.

> 5) Would it change my primary key in such a way, that it renders the 
> signatures that I've already received from other users invalid?

No.  This does not affect third-party signatures.


More information about the Gnupg-users mailing list