Several master keys vs. master key and subkeys
wk at gnupg.org
Tue Jul 16 10:09:38 CEST 2013
On Tue, 16 Jul 2013 01:16, martin.brochhaus at gmail.com said:
> This person claims that subkeys are not the best option because:
> ### QUOTE ###
> Disadvantages of subkeys:
> * I find them Confusing.
They mandotory part of the standard and solve the problem of having
separate keys for separate purposes (at least encryption and signing).
> * There are disturbingly many (i.e., any at all) bug reports on the web
> about gpg software handling subkeys incorrectly.
I am not aware of any problems with them. They have been with us for 15
> * It is possible to export a subkey and attach it to a different primary
> key, creating a potential security hole.
That is only possible for the owner of the primary key. It is further
not possible to add a signing subkey if you can't create a signature
with that signing subkey. There is no problem adding a foreign
encryption subkey to your key: Either you can use (know the protection
passphrase) that subkey - then you are the owner; or you can't use it -
then it is useless.
> * No ability (without a lot of hassle, anyway) to use different passphrases
> on primary and subkeys.
gpg works correctly if you have different passphrases. I use a
different one for my offline key than for my subkey-only online key.
For the user experience different passphrases are the worst thing you
can do. Remembering a passphrase is difficult enough; entering two
different passphrases for sending mail (signing) and reading mail
(decryption) is a no-go.
> I would like to know if David Soergel's approach has any flaws. As I
> understand it, it works the same as using real subkeys, I would create two
> normal keys, declare one to be my master key and one to be my first subkey.
Oh dear, that is Lutz's pgp 2.6 approach which fortunately led to a
solid spec named OpenPGP.
> Any reasons why I should stick to GPGs "native" subkey feature?
Yes, because that is a core concept of OpenPGP.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users