Is it possible to remove capabilities from an existing key?
Hauke Laging
mailinglisten at hauke-laging.de
Thu Sep 12 00:16:45 CEST 2013
Am Mi 11.09.2013, 23:42:30 schrieb Philip Jägenstedt:
> My public key has the default capabilities sign and certify. I've seen
> that some people have only the certify capability in order to be able to
> keep the main key offline most of the time.
It's of limited use to make a former online mainkey an offline mainkey. You
should create a completely new key (on a secure system).
> Is it technically possible to change the capabilities of an existing
> key, even if there's no way to do it via --edit-key?
May be possible (it surely would be with patching GnuPG) but is not necessary.
It makes perfect sense to have signing (and even encryption) capability on an
offline mainkey.
> If it's not possible, what would be the consequence of adding a subkey
> with the sign capability, which key would be used when both are
> available?
If there is a subkey then it is used always. I do not know though whether this
is a direct effect (defined that way) or an indirect one: The creation date
(and the selfsig date) of a subkey should always be after the creation date of
the mainkey.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/75f1d478/attachment.sig>
More information about the Gnupg-users
mailing list