trying to understand UID and subkeys
David Shaw
dshaw at jabberwocky.com
Thu Mar 5 18:23:05 CET 2009
On Thu, Mar 05, 2009 at 12:14:24PM -0500, gerry_lowry (alliston ontario canada) wrote:
> David Shaw wrote, in part:
>
> You can have one subkey for encryption, one subkey for signing, and
> leave your primary key for certification.
>
> This lets you do tricks like keeping your primary key offline.
>
> This is useful as the primary key is the most "valuable" key (since it can make more subkeys),
>
> Question # 1: does primary key here mean "primary PUBLIC key"?
No. Primary secret key. There is no risk in keeping a primary public
key online. It's public already.
> Question # 2: without the pass phrase, how can one make more subkeys?
You cannot. To make more subkeys you need both the passphrase and the
primary secret key.
> Question # 3: what determines that a key is a "primary" key?
> (is it because --gen-key was used instead of --edit-key?)
Essentially, yes. --gen-key always makes a primary key. If you
accept the default, it also makes you a single subkey. You can add
more subkeys to it later via --edit-key.
> Question # 4: by offline, do you mean not on a keyserver?
> (versus not on your local hard disk?)
By offline I mean not even on your local hard disk. Offline, say, on
a USB flash disk, or a CD-R.
David
More information about the Gnupg-users
mailing list