multiple subkeys and key transition
ben at adversary.org
Sat Dec 11 20:55:25 CET 2010
On 12/12/10 6:07 AM, David Shaw wrote:
> The flags you can turn on and off in expert mode are:
> Sign: sign data (i.e. sign a file)
> Encrypt: encrypt
> Authenticate: prove your identity (for example, sign a challenge
> token presented by a server so it will let you in)
Ah, this explains its use for SSH as well. Nice.
> You can't actually turn on or off certify (which is to sign a key -
> either your own or someone elses). In OpenPGP, the primary key can
> always certify (it may be able to encrypt/sign/authenticate as well,
> but the only strict requirement is that it must be able to certify).
> Without the ability to certify, you could never make a subkey, since
> subkeys are signed by the primary key.
Cool. On a tangential note, could this be used as a basis for
applying a PKI/WoT model to certification of SSL keys, rather than
relying on CAs?
I don't really want to hijack my own thread, but I've always been
deeply suspicious of the obvious money grab of the CA system of
(mainly website) SSL certificates and I think alternatives a worth
> So given that all primary keys will certify, you just need to decide
> whether you want it to sign, encrypt, or both. The default is to
> certify and sign, and that is what I recommend (no expert mode
Cool. I've already had a play around with that, but having the option
of skipping it is good for those who might be worried about messing it
> Once you make that primary key, you just add subkeys for whatever
> capabilities you desire. Again, the defaults are recommended (they
> are correct for virtually everyone). I'd add a sign-only subkey and
> an encrypt-only subkey. GnuPG will automatically use the subkey for
> signing over the primary key for signing.
I assume this means that if the primary key can sign & certify, that
key will still be used to sign other keys even if there is a specific
signing subkey for messages and files. Right?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users