Best Practice, subkeys and subkey cross-certification.
Hauke Laging
mailinglisten at hauke-laging.de
Tue Sep 24 03:41:22 CEST 2013
Am Di 24.09.2013, 00:21:09 schrieb Chuck Peters:
> I attended a small key signing party Saturday after generating a new key
> with multiple subkeys with the notion of having a email signing keys on
> less secure systems like my VPS (using mutt) and a separate subkey for
> each computer or device.
Would you explain that in more detail? I am not sure whether that makes sense.
> So I can keep my primary key off the
> network and use it only for signing other peoples keys.
You should consider not only storing the key offline but using it in a safe
environment only. Besides managing your own and other keys it makes sense to
use it for signing very important data (like your key policy).
> Another sensible precaution is to have different passphrases for each of
> these subkeys. However when working with the full key set when I
> attempted to change the passphrase for a subkey, it also changed the
> passphrase for the main key. I'm assuming at this point when I separate
> the keys, I can change the passphrase as planned... Is this a bug?
GnuPG can use keys with subkeys which have different passphrases but it cannot
create such keys (at least not with "normal operation"). This is not a bug,
just a missing feature.
> OK, the FAQ is the first I heard about subkey cross-certification. Is
> that info current and correct? What is recommended?
Don't care about that, it's handled automatically.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130924/44e6b5e4/attachment.sig>
More information about the Gnupg-users
mailing list