First steps with GPG, am I off to a good start?

Robin Kipp mlists at robin-kipp.net
Sat Oct 12 01:11:48 CEST 2013


Hi Daniel,

Am 11.10.2013 um 05:25 schrieb Daniel Kahn Gillmor <dkg at fifthhorseman.net>:

> This is absolutely correct.  You should not be re-using the same RSA key
> for two different usages if at all possible.  See, for example
> https://www.schneier.com/paper-chosen-protocol.html

Many thanks for that advice and the link! As I said in my previous message, I've now revoked the subkey and generated 2 new ones.

> 
> You can fix this by simply revoking this subkey and adding two new
> subkeys, one for encryption and one for signing.  GnuPG will
> automatically select the right one to use for whichever purpose.

I did just that, and now have 3 subkeys: the revoked one, one for signing and one for encrypting. However, after checking my last couple signatures, it appears GPG is now using the revoked subkey for signatures, which, of course, is not good at all! What do I do now, do I have to delete that subkey?
> 
>> I know of no good reason for creating a mainkey without expiration date.
> 
> I also agree with this.  An expiration date of 3 years is reasonable.
> If you're using the key actively and you do not believe it has been
> compromised two years later, it should not be much extra work to extend
> your expiration date for another two years.
> 
> The expiration date on your primary key gives you a failsafe endpoint in
> the event that you lose all copies of your secret key material and your
> revocation certificate.  (you do have a revocation certificate generated
> and stored someplace safe, right?  i didn't notice that in your list of
> steps)

Many thanks for the great explanation! I now edited the expiration date of the main key… As for the revocation certificate, I have to admit that I didn't generate that right away. To be honest, I kind of skipped over that option, as I suspected that this would immediately revoke the key… Well, I do have it now, and it's stored in a safe place as well :-)

> 
> I disagree with these last recommendations from hauke.  Take that as you
> will.

Well… This may be a question of personal preference, and I could well imagine that religious battles have already been fought over questions like that...
> 
> I don't think such policy information in the User ID is particularly
> useful to other people (i'd be interested to hear of a situation where
> that communication actually changes peoples actions and where it can
> only be made through the User ID as opposed to, say, on a web page, a
> blog post, in-person communication during keysigning, etc), and adding
> comments like this to the User ID makes it more difficult for others to
> decide whether to certify your key (since they may not be able to verify
> the claim you're asking them to assert).

Very true. I think that a user ID should perhaps always contain a verifiable component, such as an EMail address - well, I guess someone could even put in their phone number or street address if they so desired, right?
> 
> i hope this analysis is helpful,

Yes, thanks a lot for the effort - greatly appreciated! :-)
Robin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20131012/8114a491/attachment.sig>


More information about the Gnupg-users mailing list