controlling the use of subkeys

Mike Frysinger vapier at
Sat Dec 23 20:59:31 CET 2006

On Saturday 23 December 2006 14:51, Robert J. Hansen wrote:
> Mike Frysinger wrote:
> > i do signing of Gentoo packages and historically i would just
> > generate a new key and sign that with my normal public one ... when
> > the last one expired, i decided to try and use subkeys
> This may be bad policy on your part.  The average Gentoo user is not
> going to be an expert on cryptography or the OpenPGP protocol.  Keeping
> things as simple as possible for them is probably better than getting
> clever with subkeys, especially since there are some interesting edge
> cases there.

the average Gentoo user isnt going to ever care or even notice ... the signing 
aspects are all handled by portage

user does `emerge pkg` and emerge goes and validates all of the keys

> > so my main key i get everyone to sign is E837F581 and i use that when
> >  signing my e-mails ... i created a new subkey just for signing
> > Gentoo packages and that is 205D3103
> Generally speaking, people don't sign keys; they sign user IDs.

sorry, yes ... they've been signing my Gentoo uid

> > ... now when i sign e-mails or files, my main key is no longer used,
> > just my subkey ... how can i control this behavior ?
> Use the "!" symbol to explicitly specify a subkey.  E.g.,


> I would suggest rethinking your strategy, however.

and what would you suggest ?  create brand new key sets when the previous one 
expires ?  i thought one of the points of subkeys is to minimize this sort of 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20061223/6977bed6/attachment-0001.pgp 

More information about the Gnupg-users mailing list