explain nrsign & lsign?

David Shaw dshaw at jabberwocky.com
Mon Jan 29 00:06:29 CET 2007

On Sun, Jan 28, 2007 at 01:16:22PM -0800, snowcrash+gnupg-users wrote:
> john, david,
> thanks for the clarifications.
> > Can you explain what you're trying to do?
> that never hurts, does it.
> i want to have a 'master' trust key that, e.g., is owned/controlled by
> my company,
>   -- with strongest-possible, highest-performance encryption (RSA?
> yes, i know this is a religious debate ...)

Pick any that GnuPG supports.  They're all strong.

>   -- never used for anything other than tsigning other keys


>   -- limited in distribution as much as possible to minimize risk,
> while still allowing trust to be found/followed for the keys it signs.

You limit the distribution of the secret key.  You distribute the
public key widely as that is what allows trust to be followed.  There
is no harm in distributing the public key, and no benefit in
restricting it.

> i'm thinking here, onlyUID="trust_sig at mydomain.local"  <-- NOT a real address

Why not a real address?  What benefit does that give you?

> then, i want to create key "packages" for each employee that consist of
>   -- a 'weaker' DSA email-signing-only key
>   -- a strong ElGamal encrypt-only key
>   -- a strong RSA encrypt-only key
>   -- a 'real' primaryUID="emplayee_name at mydomain.com"
>   -- a trust signature from/by the company
>   -- ability for the employee to add add'l UID's

Why two different encrypt-only keys?


More information about the Gnupg-users mailing list