Best Practice, subkeys and subkey cross-certification.

Chuck Peters cp at axs.org
Tue Sep 24 02:21:09 CEST 2013


I attended a small key signing party Saturday after generating a new key 
with multiple subkeys with the notion of having a email signing keys on 
less secure systems like my VPS (using mutt) and a separate subkey for 
each computer or device.

https://wiki.debian.org/subkeys says "The really useful part of subkeys 
is that they can be revoked independently of the master keys, and also 
stored separately from them."  So I can keep my primary key off the 
network and use it only for signing other peoples keys.  

Another sensible precaution is to have different passphrases for each of 
these subkeys.  However when working with the full key set when I 
attempted to change the passphrase for a subkey, it also changed the 
passphrase for the main key.  I'm assuming at this point when I separate 
the keys, I can change the passphrase as planned...  Is this a bug? 
 Should I file a bug report?    

Then I decided I should do some more reading and get a better 
understanding of subkeys and of the more recent documentation and blogs 
I found the following:  
http://www.gnupg.org/faq/subkey-cross-certify.en.html 
https://alexcabal.com/creating-the-perfect-gpg-keypair/ 
http://blog.dest-unreach.be/wp-content/uploads/2009/04/pgp-subkeys.html 
https://grepular.com/Android_Privacy_Guard_and_Subkeys

OK, the FAQ is the first I heard about subkey cross-certification.  Is 
that info current and correct?  What is recommended?


Does anyone have some pointers on personal or organizational Policy and 
Best Practices documents under a copyright or license terms that allow 
modification?


Thanks,
Chuck



More information about the Gnupg-users mailing list