Keytypes and changing them

Alphax alphasigmax at gmail.com
Tue Nov 8 15:35:59 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Christoph Anton Mitterer wrote:
> David Shaw wrote:
> 
>>> So I think it would be better to have the following:
>>> primary: C, RSA-S, 4096 bit
>>> secondary: S, RSA-S, 4096 bit
>>> secondary: E, ElGamal, 4096 bit
>>>
>>> Ok...
>>> 1) Is it advisable at all?
>>>   
>>
>> Yes.  Many people do it this way, including myself.  It's not actually
>> an RSA-S key (that's deprecated), but a regular RSA key with the S
>> flag set.  However, you don't actually want to change the primary from
>> CS to C.
>>  
>>
> Why not? *g* Of course I could just don't use my primary key for signing
> plain data,.. but I think it would be better to indicate that with the
> flag, too.
> What would be the disadvantages?
> 

You could end up with conflicting copies of the same key for one...

<snip>
> And again,.. is it posible to change the flag on an existing key? And
> how is it done? Via a selfsignature? If so, I could change the flag to
> C, indicating everybody that I'm using the primary key for
> signing-other-keys-only and if someone should insist on
> challenge-response I could use the --expert flag or store a local-only
> version of the key (e.g. in an seperate .gnupg dir) that contains the
> key with CS.
> 

Possible, yes, easy, definitely not. Think "split the key into packets,
read RFC2440, fiddle with its bits, turn the bits back into a key".

> 
>>> 5) Would it change my primary key in such a way, that it renders the
>>> signatures that I've already received from other users invalid?
>>>   
>>
>> No.  This does not affect third-party signatures.
>>  
>>
> Good,.. so I could change this as often as I'd like to, correct?
> 

I wouldn't advise it. Add a subkey. If you don't want your primary key
to be "accidentaly" used for signing, backup your key, export the secret
subkeys only, delete the secret part of the key, and import the secret
subkeys. That way you can still sign and encrypt as normal but you won't
be able to use the secret part of the primary key. MAKE SURE YOU BACKUP
THE ORIGINAL!

- --
Alphax                      |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards
http://tinyurl.com/cc9up    |   / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ3C3z7MAAH8MeUlWAQhUCgf+ND53aPMn+VqE/FXVA4L/CsDYtz9j7cQl
bKZUid8hamWhTYbCIo5IT5kvOlLAS19VlBImT6XaSXOFJXnJt9TfpNHabI3YvKN+
GJSnGTDrnIISCK9pv8nL3+e5FomS+CMwiLR7LV7VDja4q+AXkxRzgNMDlKzYDn9R
J0hCVvBPVKpGJK+7JuLo3FEWt3D+i3vxsq76zqmlXR2Tg2yWJPiqcUfR9aDme5e0
LLFlE0CpDdPspvKn+Ai93+OWt9jOAxT5hYY6E2+IgYrqT78AtakQ1Iu5UwoQ+Cqv
OVWXzGwlHhg0FXapKO3P5kRXCvys+ZGoVKuzn6BTKPXNMkuxV2F8cA==
=l690
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list