Keytypes and changing them

Christoph Anton Mitterer cam at
Tue Nov 29 04:08:06 CET 2005

Hi :-)

Ok,.. it took some time,.. but now I came back to that issue ...

David Shaw wrote:

>On Wed, Nov 09, 2005 at 12:53:45AM +0100, Christoph Anton Mitterer wrote:
>>Or is there perhaps another software that I could use for chaging the 
>>key usage flags (without damaging my key or changing the format or so). 
>>Of course I'd prefer using GnuPG because I trust this the most :-)
>>Once again,.. I'm only going to do this,.. if it wouldn't have 
>>disadvantages for the security. But if the only disadvantage is that I 
>>have more work when someone asks me to response to a challenge I would 
>>live with that ;-)
>It has absolutely no impact on security, either for or against.It is
>a 90% meaningless flag, and is in fact happily ignored in virtually
>all OpenPGP applications.  If you insist on making such a key, the
>only impact that you'll notice is that you won't be able to answer
>email challenges using GnuPG.
Well,... "insist" ... *g* ... let me explain:
If you look at professional CAs (e.g. DFN-PCA) they clearly state in 
their Policies that e.g. they'll NEVER use their root keys for signing 
data but only for signing keys (DFN does this with its root-PGP-keys for 
I think the advantage is,... that other users can at least think that 
the key is more likely not used in daily-bussines (with potentially 
insecure applications,.. Thunderbird,.. etc.) but only when the owner 
signs a key.
But of course this is only a personal opinion ;-)
=> It is defenitely sure that with a C-only primary key (and a S-subkey 
- of course WITH backsigs) I would NOT loose any security or 
cryptography strength, at all, right? The only problem is that issue 
with challenge-response, right?

>You sound like you really, really, want to do this.  I'm telling you
>it's a bad idea, but it's your key.  You have to be happy with it.
*g* You make me insecure...
But you mean "bad idea" only because of the issues with backsigning, right?

btw: Wouldn't it just work to answer the challenge by signing with the 
signing subkey? If someone would trust my primary key he should also 
trust my secondary (because it is bound to the primary by the 0x18-sig), 
or am I wrong?

Best wishes,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: cam.vcf
Type: text/x-vcard
Size: 449 bytes
Desc: not available
Url : /pipermail/attachments/20051129/79e866f5/cam.vcf

More information about the Gnupg-users mailing list