Several master keys vs. master key and subkeys

Werner Koch wk at gnupg.org
Tue Jul 16 10:09:38 CEST 2013 

On Tue, 16 Jul 2013 01:16, martin.brochhaus at gmail.com said:

> This person claims that subkeys are not the best option because:
>
> ### QUOTE ###
>
> Disadvantages of subkeys:
>
> * I find them Confusing.

They mandotory part of the standard and solve the problem of having
separate keys for separate purposes (at least encryption and signing).

> * There are disturbingly many (i.e., any at all) bug reports on the web
> about gpg software handling subkeys incorrectly.

I am not aware of any problems with them.  They have been with us for 15
years!

> * It is possible to export a subkey and attach it to a different primary
> key, creating a potential security hole.

That is only possible for the owner of the primary key.  It is further
not possible to add a signing subkey if you can't create a signature
with that signing subkey.  There is no problem adding a foreign
encryption subkey to your key: Either you can use (know the protection
passphrase) that subkey - then you are the owner; or you can't use it -
then it is useless.

> * No ability (without a lot of hassle, anyway) to use different passphrases
> on primary and subkeys.

gpg works correctly if you have different passphrases.  I use a
different one for my offline key than for my subkey-only online key.
For the user experience different passphrases are the worst thing you
can do.  Remembering a passphrase is difficult enough; entering two
different passphrases for sending mail (signing) and reading mail
(decryption) is a no-go.

> I would like to know if David Soergel's approach has any flaws. As I
> understand it, it works the same as using real subkeys, I would create two
> normal keys, declare one to be my master key and one to be my first subkey.

Oh dear, that is Lutz's pgp 2.6 approach which fortunately led to a
solid spec named OpenPGP.

> Any reasons why I should stick to GPGs "native" subkey feature?

Yes, because that is a core concept of OpenPGP.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list