Certification-only key

Lionel Elie Mamane lionel at mamane.lu
Mon Oct 4 17:22:25 CEST 2010


On Tue, Sep 06, 2005 at 01:03:00AM +0200, Lionel Elie Mamane wrote:
> On Mon, Sep 05, 2005 at 04:46:46PM -0400, David Shaw wrote:
>> On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote:

>>> You could argue I could have this without marking the key as
>>> certificate-only, by never issuing data signatures with the primary
>>> key. That's harder on me. I have to be more cautious. Over the course
>>> of twenty years, I *will* screw up.

>> GnuPG actually makes it hard for you to screw up here.  If there is
>> a subkey that can sign, GnuPG will use it rather than the primary.
>> The only way to get a signature (as opposed to a key certification)
>> from the primary is to specify its key ID explicitly with an
>> exclamation point.

> Ah. Good. I just hope mutt doesn't pass the KeyID with an exclamation
> point. Should check that.

Also, when my signature subkey expires, it would (I guess) silently
start using the primary. Which makes me _very_ happy I chose to make
my primary certification-only, because signatures started to fail
instead, which gave me notice and allowed me to issue a new signature
subkey :)

-- 
Lionel



More information about the Gnupg-users mailing list