Offline Master Key
dshaw at jabberwocky.com
Mon May 2 17:39:57 CEST 2011
On May 2, 2011, at 10:47 AM, patrickbx at lavabit.com wrote:
> I have question on key management and was looking for some feedback. My
> issue is that I like the idea of having a Master signing key with no
> expiration date and I want to store this key offline without the
> inconvenience of using an offline computer every time i'd like to send a
> signed/encrypted message.
> My idea is to create a master signing key on an offline
> computer(persistent live usb). Then create two subkeys that have regular
> expiration dates. One encryption key and one additional "daily-use"
> signing key. I would post my master key in my signature and use it to
> sign the sub-keys. When sending mail I would use my daily use key to sign
> my messages. I would only access and use my master key when it is
> necessary to sign other keys and update my sub keys. Would this create any
> problems for those reading and verifying my emails?
No problems unless your correspondent is using a very old version of PGP that doesn't properly handle subkeys. I wouldn't worry about that too much in 2011.
> Would it be necessary
> to link to my key policy in my mail or would it be seamless that my sub
> signing key is valid because it is signed by the master.
It should be seamless. This is a reasonably common thing to do. I do it myself, in fact.
There is/was a HOWTO document for this method of handling keys written at one point. I can't seem to find the link at the moment, but if someone has it handy, please do post it.
More information about the Gnupg-users