"Certify" only master key
Hauke Laging
mailinglisten at hauke-laging.de
Wed Jul 31 03:09:07 CEST 2013
Am Di 30.07.2013, 23:10:54 schrieb atair:
> is there anything that speaks against a master key with only the
> "certify" usage-property set?
You give the answer yourself:
> What is the advantage of having a certify+sign master key? In my
> opinion, this sounds dangerous, because to sign a message one would
> always need the secret key of the master key available (if using CS
> master key, and E subkey).
But that is not your case. You have a signature subkey. I.e. you must force
GnuPG to use the mainkey for signing. GnuPG would never try to use it under
normal conditions.
> By using a certify only key as master key,
> one could delete the master's secret key on the non-offline system.
So you can if the mainkey can sign, too.
> The only case for a CS master key that comes to my mind, is when one
> wants to sign some important documents in the offline environment
> _with the master key_ (e.g. key policy, some configs etc). In that
> case one would delete the secret master key for the online system and
> use the sign subkey for ordinary communication.
Right.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130731/f9763619/attachment-0001.sig>
More information about the Gnupg-users
mailing list