A few newbie questions, I'am doing this right?
expires2012 at rocketmail.com
Sat Dec 15 16:07:48 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 13 December 2012 at 12:10:35 PM, in
<mid:4265438.anoHMM7euF at inno>, Hauke Laging wrote:
> But as you completely
> control which signatures you make I don't think there
> is any serious argument against signing capability.
Since key compromise is possible however careful you intend to be,
isn't it better for the non-expiring main key to have the minimum
possible capability set?
> OK but you unnecessarily limit your benifit of this
> higher security to certifications.
There is no real limitation here. If a need arose for "higher
security" signing or encryption keys, new subkeys with those
capabilities could be created and circulated, and the secret subkeys
stored offline just like the main key.
> Unfortunately (I don't know the reason for this policy
> difference) the same is true for PIN pads and
> encryption. But for signatures the damage can be
Maybe because encryption uses the public key, so no passphrase or PIN
would be required?
>> > • add a UID without email (just your name and a
>> comment; this will be > valid > "forever")
Really? In many countries it is traditional for one or or both
partner(s) to change their name on marriage. And it is not all that
rare for people to change their name at other times for personal or
>> if I doubt I'll ever in my
>> life time swap out my private email? (see comment
But it could happen. How do you know what email addresses and domain
names will look like in several decades? Or whether somebody may offer
to purchase your domain name for a vast sum of money? Or whether you
may at some point forget to renew the domain, or have it stolen from
you by illicit action on behalf of some corporate or government
> My general advice is to create a dedicated key for
> local signatures because it is quite unconvenient to
> always have to use the real mainkey in a secure
> environment. My strategy is: Use the lsign key for
> making other keys valid quickly (just for yourself) and
> use the safe mainkey for active participation in the
> Web of Trust.
That strikes me as good advice even if your main key is not stored
>> > • If you create two keys then create your work key
>> with your personal key > as designated revoker
Sounds like a sensible precaution if work policy allows.
MFPA mailto:expires2012 at rocketmail.com
If you can't convince them, confuse them.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users