Identifying your private key by the public KeyID

Werewolf werewolf6851 at gmail.com
Thu Aug 29 06:24:22 CEST 2013


On 08/06/2013 09:44 AM, David Shaw wrote:
> On Aug 6, 2013, at 9:22 AM, Kenneth Jones <kententen at me.com> wrote:
> 
>> I'm referring to the information you see for example in the prompt to
>> enter your private key when you have received an encrypted message in
>> Thunderbird/Enigmail. The window "pinetry" prompts "Please enter the
>> pass...2048-bit RSA key, ID DEADBEEF, created ... (main key ID
>> ABCD0123)." Notice there are two key ID mentioned in the window, one
>> called Main, which is also the public Key ID, (the one I expected, the
>> one I remember) and the other for the secret key (which I have Never
>> Paid any attention to).
> 
> Ah, that clarifies it.  Yes, as a few people have suggested, that's the subkey ID.  It's not inherently public or secret, but just another key attached to your primary key.  In OpenPGP, "your key" refers to a primary key, plus some number of subkeys (occasionally zero, but that's fairly rare).  The primary key is the one that the user IDs (email addresses, etc) are attached to, and the one that gathers signatures from other people if you get your key signed.
> 
> The subkey(s) are keys attached to the primary key, that can be used for encryption or signing.  The idea is that since it is difficult to change your primary key (you'd need to get it re-signed, and re-print your business cards, and the like) you should be able to change the subkey quickly and easily.  A common methodology (and in fact the default for many programs) is to use the primary key for signing, and a subkey for encryption.  There are interesting variations that can be used with this basic design: some people leave their primary key offline completely, only taking it out to make new subkeys.  Some people use different passphrases on different subkeys.
> 
> To answer your original question, though, traditionally the key-as-a-whole is referred to by its primary key ID and fingerprint.  The subkeys are effectively along for the ride. Some programs make a point of telling you which subkey is in use at a particular time.  Some do not.
> 
> David
> 

Pops into this tread.  Is there any major disadvantage to have main key
of say 2048 bits, but sub keys of 3072 or 4096 bit sizes?

Wolf.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 295 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130828/bc8f41fc/attachment-0001.sig>


More information about the Gnupg-users mailing list