Best Practice, subkeys and subkey cross-certification.
Chuck Peters
cp at axs.org
Tue Sep 24 02:21:09 CEST 2013
I attended a small key signing party Saturday after generating a new key
with multiple subkeys with the notion of having a email signing keys on
less secure systems like my VPS (using mutt) and a separate subkey for
each computer or device.
https://wiki.debian.org/subkeys says "The really useful part of subkeys
is that they can be revoked independently of the master keys, and also
stored separately from them." So I can keep my primary key off the
network and use it only for signing other peoples keys.
Another sensible precaution is to have different passphrases for each of
these subkeys. However when working with the full key set when I
attempted to change the passphrase for a subkey, it also changed the
passphrase for the main key. I'm assuming at this point when I separate
the keys, I can change the passphrase as planned... Is this a bug?
Should I file a bug report?
Then I decided I should do some more reading and get a better
understanding of subkeys and of the more recent documentation and blogs
I found the following:
http://www.gnupg.org/faq/subkey-cross-certify.en.html
https://alexcabal.com/creating-the-perfect-gpg-keypair/
http://blog.dest-unreach.be/wp-content/uploads/2009/04/pgp-subkeys.html
https://grepular.com/Android_Privacy_Guard_and_Subkeys
OK, the FAQ is the first I heard about subkey cross-certification. Is
that info current and correct? What is recommended?
Does anyone have some pointers on personal or organizational Policy and
Best Practices documents under a copyright or license terms that allow
modification?
Thanks,
Chuck
More information about the Gnupg-users
mailing list