Confused about Sub keys.

Faramir faramir.cl at gmail.com
Tue Jun 10 06:17:46 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Dwyer escribió:
> Hi everyone,
> 
> I am new  to all this and have been alot of reading.
> 
> One thing i cant get my head around is subkeys.  I have generated a sub
> key with my master key and i undestand that.  All the commands and thing
> i have been doing i have been using my master keys id... should i be
> actively using my sub key? or does it just use it as i talk to people?

  Hello, and yes, I think subkeys are confusing... I am still a bit
confused... Anyway, there are a few things I understood, and they are:

1.- There are keys used to sign, and other keys used for
encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt
but not sign. RSA can do both functions, but the function intended for
it must be defined at the moment of creating the key. And that is the
reason to use "key pairs", because a singe key can't do both functions.

2.- You can make a key pair using DSA-Elgammal, or
RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that.

3.- A key pair is always composed by a primary key (used to sign), and a
subkey used to encrypt/decrypt.

4.- You can add more subkeys, for signing and for encrypting. But I
don't have any idea about how does GnuPG chose what key is going to use...

5.- The primary key is the only key that can sign other keys.

6.- But if you have a signing subkey, and an encrypting subkey, you can
use these subkeys pair to sign and encrypt... you can even export the
secret keys and store them safe, then export the subkeys, delete the
key, import the subkeys, and be able to do everything, except to sign
other people's keys. You can revoke the subkeys, if they get
compromised, and since the primary key would not be compromised, you can
import it, make a new subkeys pair, and keep functioning with the same
master key ID (so, you would not lose the signatures people have done to
your key).

7.- If you delete a subkey used to encrypt, you won't be able to read
messages sent to you encrypted for that subkey, so, if you have to
revoke a subkey, do it, but never delete it.

  And that is all I know about the subject...

  So, you don't have to do anything to use your subkey, it is already
being used anytime you need to encrypt/decrypt.

 Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJITgBqAAoJEMV4f6PvczxAWB8H/RWpE1qesd5I13Rnj5S/2ILr
mPj2SuSVKHYc5qZuLuGRxw+2gaXO8icMb91Fep58DTivvJFpat3KEkypWAPSyhH1
8pbm69l813Z1Ok+1uIaUXxEyaKQJOEnCejfp0qK+Ow7Yy+V61lBzl8shssll/Upb
q5eUeaofqRdkujEOfKVdRd4KdsWS6+Giu+a+HbJiiwC5UjM5Js8qj94aFCYtXrfT
b4CnYmTW89ekMz9iL51J9EBXzrkoZ4nQaLgQ875xLwsNyFjy+Cer5+j4+TziPz8j
FgsV5t3AY8W7wLiMbMviiWJ0Uqv792Kjs85+qfMsDVp61jqCaX6MkBWzEBR3lQk=
=zuH8
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list