Why a subkey?
Mike - EMAIL IGNORED
m_d_berger_1900 at yahoo.com
Sat Feb 24 20:18:18 CET 2007
On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> On FC4 with gpg 1.4.1:
>
> Please upgrade. There have been a couple of security updates since
> 1.4.1.
>
>> It says the key cannot be used for encryption, and a
>> subkey must be generated. Why?
>
> Why must an encryption subkey be generated? Because you don't have
> one. If you mean "why doesn't GnuPG create an encryption subkey at
> the same time it creates a signing subkey, the way it does for DSS/
> ElGamal keypairs", for that one you'd have to ask the developers.
> It's never made a lick of sense to me, myself.
>
>> If so, why was (sign and encrypt) not offered as an option?
>
> Having one key that can be used for both signing and encryption
> operations is thought by some to be bad crypto policy. The problems
> with it appear to be mostly theoretical, though.
>
>> I did this a year or two ago, and I do not remember
>> needing a subkey. I still have that keyring in
>> under another user.
>
> If your other key was DSS/ElGamal, that's because GnuPG created the
> additional subkey for you at the same time as your signing subkey. :)
>
>
[...]
Now I created a key using "DSA and Elgamal (default)". As you
suggest, it created a subkey for me, as can be seen in gpg --list-keys.
If I run gpg --list-keys on my old keyring, I see no subkeys in the
old keys (Apr 2006), but there is a subkey in the public key imported
from the new user account. Has there been a change? Are my old
keys obsolete? I don't remember if I upgraded gpg in the interim
(present version 1.4.1), but I will upgrade, as you suggest.
Thanks,
Mike.
More information about the Gnupg-users
mailing list