multiple subkeys and key transition

Ben McGinnes ben at
Sat Dec 11 10:15:04 CET 2010

On 10/12/10 2:33 PM, David Shaw wrote:
> A good way to look at this is to pick what you want your primary key
> to be.  The subkeys don't really matter that much, as the primary is
> the one that gathers signatures, and the one that makes (i.e. signs)
> subkeys.  It's the key that establishes "identity" in the web of
> trust.  The subkeys matter a lot less as it's trivial to make new
> subkeys whenever you feel the need, using whatever algorithm and
> size is favored at that point.

Very interesting.

> One useful model is to make a large & non-expiring primary key, and
> use it only to make subkeys.  Use a subkey for signing data, and a
> (different) subkey for encryption.  This has a few advantages, such
> as that you can leave this primary key offline altogether (since you
> only actually need it to make more subkeys).  It's hard to
> compromise a key that isn't actually on your computer most of the
> time :)

I think this is probably what I will do for my next key, but how do I
specify between the primary key and the signing subkey when signing
messages?  Is that done with the Sign, Encrypt, Certify and
Authenticate capabilities during key creation?  I'm happy to do it in
expert mode, I just want to be clear on the different options.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101211/5a0f9da2/attachment.pgp>

More information about the Gnupg-users mailing list