Why a subkey?
Robert J. Hansen
rjh at sixdemonbag.org
Sat Feb 24 19:42:09 CET 2007
-----BEGIN PGP SIGNED MESSAGE-----
> On FC4 with gpg 1.4.1:
Please upgrade. There have been a couple of security updates since
> It says the key cannot be used for encryption, and a
> subkey must be generated. Why?
Why must an encryption subkey be generated? Because you don't have
one. If you mean "why doesn't GnuPG create an encryption subkey at
the same time it creates a signing subkey, the way it does for DSS/
ElGamal keypairs", for that one you'd have to ask the developers.
It's never made a lick of sense to me, myself.
> If so, why was (sign and encrypt) not offered as an option?
Having one key that can be used for both signing and encryption
operations is thought by some to be bad crypto policy. The problems
with it appear to be mostly theoretical, though.
> I did this a year or two ago, and I do not remember
> needing a subkey. I still have that keyring in
> under another user.
If your other key was DSS/ElGamal, that's because GnuPG created the
additional subkey for you at the same time as your signing subkey. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
-----END PGP SIGNATURE-----
More information about the Gnupg-users