Keytypes and changing them

Christoph Anton Mitterer cam at
Tue Nov 8 15:29:39 CET 2005

David Shaw wrote:

>>So I think it would be better to have the following:
>>primary: C, RSA-S, 4096 bit
>>secondary: S, RSA-S, 4096 bit
>>secondary: E, ElGamal, 4096 bit
>>1) Is it advisable at all?
>Yes.  Many people do it this way, including myself.  It's not actually
>an RSA-S key (that's deprecated), but a regular RSA key with the S
>flag set.  However, you don't actually want to change the primary from
>CS to C.
Why not? *g* Of course I could just don't use my primary key for signing 
plain data,.. but I think it would be better to indicate that with the 
flag, too.
What would be the disadvantages?

>>2) Can I change this with GPG (without having to create a new key, of 
>>3) If not: Is this function going to be intruduced in GPG the next time?
>>4) If not: How could I do that else?
>You can add a signing subkey any time you like.  This doesn't flip
>your primary CS key into a C only key, but that doesn't matter much.
Of course...

>If GnuPG sees you have a signing subkey, it will always choose it in
>favor of the primary key when making a signature.
>You don't want a C only primary key because if you go to a key signing
>party, you may be asked to sign a challenge to prove you own your key.
>This challenge must be signed with the primary key to be valid.
Ah,.. hm ok,.. is this the only reason for not using a C-only primary key?

And again,.. is it posible to change the flag on an existing key? And 
how is it done? Via a selfsignature? If so, I could change the flag to 
C, indicating everybody that I'm using the primary key for 
signing-other-keys-only and if someone should insist on 
challenge-response I could use the --expert flag or store a local-only 
version of the key (e.g. in an seperate .gnupg dir) that contains the 
key with CS.

>>5) Would it change my primary key in such a way, that it renders the 
>>signatures that I've already received from other users invalid?
>No.  This does not affect third-party signatures.
Good,.. so I could change this as often as I'd like to, correct?

Best wishes,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cam.vcf
Type: text/x-vcard
Size: 449 bytes
Desc: not available
Url : /pipermail/attachments/20051108/a4611b54/cam-0001.vcf

More information about the Gnupg-users mailing list