Keytypes and changing them
Christoph Anton Mitterer
cam at mathematica.scientia.net
Tue Nov 8 15:29:39 CET 2005
David Shaw wrote:
>>So I think it would be better to have the following:
>>primary: C, RSA-S, 4096 bit
>>secondary: S, RSA-S, 4096 bit
>>secondary: E, ElGamal, 4096 bit
>>1) Is it advisable at all?
>Yes. Many people do it this way, including myself. It's not actually
>an RSA-S key (that's deprecated), but a regular RSA key with the S
>flag set. However, you don't actually want to change the primary from
>CS to C.
Why not? *g* Of course I could just don't use my primary key for signing
plain data,.. but I think it would be better to indicate that with the
What would be the disadvantages?
>>2) Can I change this with GPG (without having to create a new key, of
>>3) If not: Is this function going to be intruduced in GPG the next time?
>>4) If not: How could I do that else?
>You can add a signing subkey any time you like. This doesn't flip
>your primary CS key into a C only key, but that doesn't matter much.
>If GnuPG sees you have a signing subkey, it will always choose it in
>favor of the primary key when making a signature.
>You don't want a C only primary key because if you go to a key signing
>party, you may be asked to sign a challenge to prove you own your key.
>This challenge must be signed with the primary key to be valid.
Ah,.. hm ok,.. is this the only reason for not using a C-only primary key?
And again,.. is it posible to change the flag on an existing key? And
how is it done? Via a selfsignature? If so, I could change the flag to
C, indicating everybody that I'm using the primary key for
signing-other-keys-only and if someone should insist on
challenge-response I could use the --expert flag or store a local-only
version of the key (e.g. in an seperate .gnupg dir) that contains the
key with CS.
>>5) Would it change my primary key in such a way, that it renders the
>>signatures that I've already received from other users invalid?
>No. This does not affect third-party signatures.
Good,.. so I could change this as often as I'd like to, correct?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 449 bytes
Desc: not available
Url : /pipermail/attachments/20051108/a4611b54/cam-0001.vcf
More information about the Gnupg-users