decrypt : primary key or subkey ?

Bruno Costacurta pubmb01 at skynet.be
Wed Jun 13 17:18:54 CEST 2007 

On Thursday 07 June 2007 16:00:49 David SMITH wrote:
> On Thu, Jun 07, 2007 at 12:31:19PM +0200, Bruno Costacurta wrote:
> > Hello David,
> >
> > (note: I'm able to revoke this subkey (done but not sent to keyserver
> > yet)).
>
> Do you mean that you have already generated the revocation certificate
> previously, or that you have just generated one now?

(sorry for delays. I was off and abroad).

I simply revoked the subkey Elgamal and sent update to keyserver.
Looks like now this is reflected and so I do not (currently) have any key for 
encryption. This what I intended to do as I was not able to decrypt.
Later I'll created a new subkey and update it the same way (after verification 
of correct encrypt/decrypt behaviour).

I think that the problem came few months ago : as I changed computer I 
exported secret key only,  but not secret-subkey. And so I installed the 
keyring but without secret part of my subkey on my current computer. 

Question: An export-secret should be followed by a export-secret-subkey ?
Correct ?

>
> > The problem is that subkey comes alone and automatically when keypair is
> > generated (and related keyring created).
> > During creation there is only one password required which is linked to
> > the primary key. My secret key and related password are OK.
>
> You only have one passphrase to protect the primary key; this passphrase
> automatically protects all of its subkeys.
>
> (Actually, I think that the passphrase protects the keyring file rather
> than the key, but ICBW).  The fact that you don't have a separate
> passphrase for your subkey is normal and not a problem.
>
> > Where in this process is the secret part (and related password) of subkey
> > specified ?
>
> As I mentioned, you don't have a separate password.
>
> Public and secret parts are always generated together; they cannot be
> generated separately.

>
> > How to specify correct attributes for subkey like encrypt & decrypt ?
>
> Public parts are always used for encryption, and private parts are
> always used for decryption.  There is an exception to this, where some
> keys are used for signing, but I am ignoring this since you are talking
> about keys generated for en/decryption.
>
> There is no point in generating a key for encryption but not decryption -
> they are always generated as a pair - public for encryption, and secret
> for decryption.  If you think about it, any other scheme is nonsensical.
> For example, encrypting with the secret key would mean that anyone could
> decrypt the encrypted message (since the public key is, well, public).
>
> The secret key can't be generated from the public key, for obvious
> reasons.
>
> Somehow I think you've lost the secret part of the subkey.



-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070613/7911ad51/attachment-0001.pgp

More information about the Gnupg-users mailing list