A few newbie questions, I'am doing this right?
expires2012 at rocketmail.com
Tue Dec 18 00:37:33 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 16 December 2012 at 5:03:42 AM, in
<mid:7064600.aJxIxBHWNB at inno>, Hauke Laging wrote:
> With a compromised mainkey it
> shouldn't be a problem to create a certificate with a
> modified capability set anyway.
Yes, I didn't think that through properly.
>> There is no real limitation here. If a need arose for
>> "higher security" signing or encryption keys, new
>> subkeys with those capabilities could be created and
>> circulated, and the secret subkeys stored offline just
>> like the main key.
> That's right but makes the whole thing even more
> complicated – without explaining what the advantage
> should be.
I disagree. What you see as added complication, I see as
simplification. Most keys having a single use but one having several
uses is more complicated to me than each key having a single use.
> And complicated is bad as understanding is
> critical to the practical value of crypto.
> Once unlocked the
> OpenPGP card does as many decryptions as you want. I do
> not see any reason for that.
Convenience. (Which is often the opposite of security.)
> I would not call such
> a "depricated" name "invalid". The person can still be
> identified by the old name.
They can, and some people routinely are (such as solicitors who use
their former name for work and their current name for non-work
matters). But hanging on to the old identity whilst also taking up the
new one sends mixed messages and seems like a contradiction.
> In that case it makes sense IMHO only if the
> certification procedure (for the "real" key) is
> somewhat complicated because the key owner follows a
> good certification policy.
It means a lapse in competence, such as accidentally exporting your
local signatures, does not compromise your good certification policy.
MFPA mailto:expires2012 at rocketmail.com
Wait. You think I'm right?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users