Keytypes and changing them
David Shaw
dshaw at jabberwocky.com
Tue Nov 8 14:24:16 CET 2005
On Tue, Nov 08, 2005 at 12:27:13PM +0100, Christoph Anton Mitterer wrote:
> Hi folks!
>
> Ok,.. I know that you can set at least the following flags to specify
> the purpose of a key:
> A - authorsation
> C - certification
> E - encryption
> S - signation
>
> Ok,.. as far as I understood, if a key is C-only that this indicates
> that it is used solely for signing other keys, but not for signing
> normal data, correct?
>
> Ok,.. I thought about that and came to the result - correct me if I'm
> wrong - that it would be more secure to use the primary key only for
> certificating other keys (and of course for self-sigs).
>
> Ok my current key looks like the following:
> primary: CS, RSA-S, 4096 bit
> secondary: E, ElGamal, 4096 bit
>
> So I think it would be better to have the following:
> primary: C, RSA-S, 4096 bit
> secondary: S, RSA-S, 4096 bit
> secondary: E, ElGamal, 4096 bit
>
> Ok...
> 1) Is it advisable at all?
Yes. Many people do it this way, including myself. It's not actually
an RSA-S key (that's deprecated), but a regular RSA key with the S
flag set. However, you don't actually want to change the primary from
CS to C.
> 2) Can I change this with GPG (without having to create a new key, of
> course)?
> 3) If not: Is this function going to be intruduced in GPG the next time?
> 4) If not: How could I do that else?
You can add a signing subkey any time you like. This doesn't flip
your primary CS key into a C only key, but that doesn't matter much.
If GnuPG sees you have a signing subkey, it will always choose it in
favor of the primary key when making a signature.
You don't want a C only primary key because if you go to a key signing
party, you may be asked to sign a challenge to prove you own your key.
This challenge must be signed with the primary key to be valid.
> 5) Would it change my primary key in such a way, that it renders the
> signatures that I've already received from other users invalid?
No. This does not affect third-party signatures.
David
More information about the Gnupg-users
mailing list