"Certify" only master key

Hauke Laging mailinglisten at hauke-laging.de
Wed Jul 31 03:09:07 CEST 2013

Am Di 30.07.2013, 23:10:54 schrieb atair:

> is there anything that speaks against a master key with only the
> "certify" usage-property set?

You give the answer yourself:

> What is the advantage of having a certify+sign master key? In my
> opinion, this sounds dangerous, because to sign a message one would
> always need the secret key of the master key available (if using CS
> master key, and E subkey).

But that is not your case. You have a signature subkey. I.e. you must force 
GnuPG to use the mainkey for signing. GnuPG would never try to use it under 
normal conditions.

> By using a certify only key as master key,
> one could delete the master's secret key on the non-offline system.

So you can if the mainkey can sign, too.

> The only case for a CS master key that comes to my mind, is when one
> wants to sign some important documents in the offline environment
> _with the master key_ (e.g. key policy, some configs etc). In that
> case one would delete the secret master key for the online system and
> use the sign subkey for ordinary communication.


Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130731/f9763619/attachment-0001.sig>

More information about the Gnupg-users mailing list