Offline Master Key
mailinglisten at hauke-laging.de
Mon May 2 17:19:38 CEST 2011
Am Montag, 2. Mai 2011, 16:47:31 schrieb patrickbx at lavabit.com:
> My idea is to create a master signing key on an offline
> computer(persistent live usb). Then create two subkeys that have regular
> expiration dates. One encryption key and one additional "daily-use"
> signing key.
You can create the master key without any capability except for certification.
It is theoretically possible to use several keys (main key and subkeys) within
one key for signing and give the signatures different meanings (e.g. "daily
use" vs. "high security") but I think that most people would not notice the
difference. So IMHO the only reason for having several simultaneously valid
keys with the same ability in one key is compatibility: Use the strongest key
(and have the others use it) whenever possible, otherwise use the worse
I think it's a good idea to have signature and encryption keys of different
quality but I would advice to use different main keys for that. That allows
the others to understand the difference from a simple look at the UID (when
using comments like "daily use" and "high security").
> Would this create any
> problems for those reading and verifying my emails?
No. Subkeys are a normal feature. The default configuration creates keys with
a subkey (not for signing though). Nobody except you should be able to realize
whether your master key is stored online or offline.
> Would it be necessary to link to my key policy in my mail
No but it makes sense (independently of this question) to link it in your
self-signature. See the option --set-policy-url though in the default
configuration this URL is not shown (just hinted by a "P").
> or would it be seamless that my sub
> signing key is valid because it is signed by the master.
Yes, that's the concept of OpenPGP.
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users