Keytypes and changing them

Alphax alphasigmax at
Tue Nov 8 15:35:59 CET 2005

Hash: SHA256

Christoph Anton Mitterer wrote:
> David Shaw wrote:
>>> So I think it would be better to have the following:
>>> primary: C, RSA-S, 4096 bit
>>> secondary: S, RSA-S, 4096 bit
>>> secondary: E, ElGamal, 4096 bit
>>> Ok...
>>> 1) Is it advisable at all?
>> Yes.  Many people do it this way, including myself.  It's not actually
>> an RSA-S key (that's deprecated), but a regular RSA key with the S
>> flag set.  However, you don't actually want to change the primary from
>> CS to C.
> Why not? *g* Of course I could just don't use my primary key for signing
> plain data,.. but I think it would be better to indicate that with the
> flag, too.
> What would be the disadvantages?

You could end up with conflicting copies of the same key for one...

> And again,.. is it posible to change the flag on an existing key? And
> how is it done? Via a selfsignature? If so, I could change the flag to
> C, indicating everybody that I'm using the primary key for
> signing-other-keys-only and if someone should insist on
> challenge-response I could use the --expert flag or store a local-only
> version of the key (e.g. in an seperate .gnupg dir) that contains the
> key with CS.

Possible, yes, easy, definitely not. Think "split the key into packets,
read RFC2440, fiddle with its bits, turn the bits back into a key".

>>> 5) Would it change my primary key in such a way, that it renders the
>>> signatures that I've already received from other users invalid?
>> No.  This does not affect third-party signatures.
> Good,.. so I could change this as often as I'd like to, correct?

I wouldn't advise it. Add a subkey. If you don't want your primary key
to be "accidentaly" used for signing, backup your key, export the secret
subkeys only, delete the secret part of the key, and import the secret
subkeys. That way you can still sign and encrypt as normal but you won't
be able to use the secret part of the primary key. MAKE SURE YOU BACKUP

- --
Alphax                      |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards    |   / \
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Thunderbird -


More information about the Gnupg-users mailing list