key management & APG

Hauke Laging mailinglisten at
Sun Aug 4 17:21:58 CEST 2013

Am So 04.08.2013, 10:00:49 schrieb Philipp Klaus Krause:

> > Then the sender can decide how confidential the information is (or how
> > reliable the signature must be).
> You mean creating two separate keys for the same email address? And sign
> each with the other?

You may sign them with each other.

> Anyone else will have to sign both of my keys for this address?

If you sign them with each other and both signing keys are high security (the 
one as a whole and the offline mainkey of the other) then everyone would have 
to sign one only. In general it would be enough to sign the highest security 
key of a person but this may break the web of trust because that unfirtunately 
does not make a difference between your own keys and those of others.

> How would I document the security levels?

For the future I suggest a five step scale:

1: test key (publicly available) or used on untrusted systems
2: key available to trusted other systems (e.g. webmail) or smartphones
3: normal PC (email, web surfing)
4: hardened normal PC (noone else is using it; technical protections)
5: secure environment (e.g. verified Linux live DVD)

I guess anything above that can hardly be standardized (and need not).

> Use the comment field?

When I create keys for Germans I create a UID without email but with this 

"Alltagsschlüssel mit sicherem Offline-Hauptschlüssel und policy URL"

This is:

"Everyday key with secure offline mainkey and policy URL"

The safe way is to have a key policy (not just a certification policy!) which 
is signed by a secure offline mainkey. But, of course, you must know for sure 
that another one's key has a secure offline mainkey. You easily realize that 
the current WoT is useless.

> Will
> current software make the choice easy for the people sending mail to me,

No but if more people start using crypto then the demand for usable solutions 
will arise quickly and result in the tools getting this ability. This could be 
done by signature notations (for both self-signatures and certifications by 

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5

XMPP (Chat mit OTR): hauke.laging at
XMPP (Chat mit OTR): hauke.laging at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130804/cf826167/attachment.sig>

More information about the Gnupg-users mailing list