A few newbie questions, I'am doing this right?

MFPA expires2012 at rocketmail.com
Tue Dec 18 00:37:33 CET 2012

Hash: SHA512


On Sunday 16 December 2012 at 5:03:42 AM, in
<mid:7064600.aJxIxBHWNB at inno>, Hauke Laging wrote:

> With a compromised mainkey it
> shouldn't be a problem to create a certificate with a
> modified capability set anyway.

Yes, I didn't think that through properly.

>> There is no real limitation here. If a need arose for
>> "higher security" signing or encryption keys, new
>> subkeys with those capabilities could be created and
>> circulated, and the secret subkeys stored offline just
>> like the main key.

> That's right but makes the whole thing even more
> complicated – without explaining what the advantage
> should be.

I disagree. What you see as added complication, I see as
simplification. Most keys having a single use but one having several
uses is more complicated to me than each key having a single use.

> And complicated is bad as  understanding is
> critical to the practical value of crypto.


> Once unlocked the
> OpenPGP card does as many decryptions as you want. I do
> not see any reason for that.

Convenience. (Which is often the opposite of security.)

> I would not call such
> a "depricated" name "invalid". The person can still be
> identified by the old name.

They can, and some people routinely are (such as solicitors who use
their former name for work and their current name for non-work
matters). But hanging on to the old identity whilst also taking up the
new one sends mixed messages and seems like a contradiction.

> In that case it makes sense IMHO only if the
> certification procedure (for the "real" key) is
> somewhat complicated because the key owner follows a
> good certification policy.

It means a lapse in competence, such as accidentally exporting your
local signatures, does not compromise your good certification policy.

- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

Wait. You think I'm right?


More information about the Gnupg-users mailing list