Best Practice, subkeys and subkey cross-certification.

Hauke Laging mailinglisten at
Tue Sep 24 03:41:22 CEST 2013

Am Di 24.09.2013, 00:21:09 schrieb Chuck Peters:
> I attended a small key signing party Saturday after generating a new key
> with multiple subkeys with the notion of having a email signing keys on
> less secure systems like my VPS (using mutt) and a separate subkey for
> each computer or device.

Would you explain that in more detail? I am not sure whether that makes sense.

> So I can keep my primary key off the
> network and use it only for signing other peoples keys.  

You should consider not only storing the key offline but using it in a safe 
environment only. Besides managing your own and other keys it makes sense to 
use it for signing very important data (like your key policy).

> Another sensible precaution is to have different passphrases for each of
> these subkeys.  However when working with the full key set when I
> attempted to change the passphrase for a subkey, it also changed the
> passphrase for the main key.  I'm assuming at this point when I separate
> the keys, I can change the passphrase as planned...  Is this a bug?

GnuPG can use keys with subkeys which have different passphrases but it cannot 
create such keys (at least not with "normal operation"). This is not a bug, 
just a missing feature.

> OK, the FAQ is the first I heard about subkey cross-certification.  Is
> that info current and correct?  What is recommended?

Don't care about that, it's handled automatically.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130924/44e6b5e4/attachment.sig>

More information about the Gnupg-users mailing list