Confused about Sub keys.
sdwyer at spykes.id.au
Tue Jun 10 06:40:06 CEST 2008
That does make more sense. Still a very confusing topic. From what i
gather the fact that my emails are being signed and everything seems to
be working i will not worry about it too much. Hope this post helps
others that come looking later with the same question.
On Tue, 2008-06-10 at 00:17 -0400, Faramir wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Simon Dwyer escribió:
> > Hi everyone,
> > I am new to all this and have been alot of reading.
> > One thing i cant get my head around is subkeys. I have generated a sub
> > key with my master key and i undestand that. All the commands and thing
> > i have been doing i have been using my master keys id... should i be
> > actively using my sub key? or does it just use it as i talk to people?
> Hello, and yes, I think subkeys are confusing... I am still a bit
> confused... Anyway, there are a few things I understood, and they are:
> 1.- There are keys used to sign, and other keys used for
> encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt
> but not sign. RSA can do both functions, but the function intended for
> it must be defined at the moment of creating the key. And that is the
> reason to use "key pairs", because a singe key can't do both functions.
> 2.- You can make a key pair using DSA-Elgammal, or
> RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that.
> 3.- A key pair is always composed by a primary key (used to sign), and a
> subkey used to encrypt/decrypt.
> 4.- You can add more subkeys, for signing and for encrypting. But I
> don't have any idea about how does GnuPG chose what key is going to use...
> 5.- The primary key is the only key that can sign other keys.
> 6.- But if you have a signing subkey, and an encrypting subkey, you can
> use these subkeys pair to sign and encrypt... you can even export the
> secret keys and store them safe, then export the subkeys, delete the
> key, import the subkeys, and be able to do everything, except to sign
> other people's keys. You can revoke the subkeys, if they get
> compromised, and since the primary key would not be compromised, you can
> import it, make a new subkeys pair, and keep functioning with the same
> master key ID (so, you would not lose the signatures people have done to
> your key).
> 7.- If you delete a subkey used to encrypt, you won't be able to read
> messages sent to you encrypted for that subkey, so, if you have to
> revoke a subkey, do it, but never delete it.
> And that is all I know about the subject...
> So, you don't have to do anything to use your subkey, it is already
> being used anytime you need to encrypt/decrypt.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: This is a digitally signed message part
More information about the Gnupg-users