Mainkey with many subkeys??

Pete Stephenson pete at heypete.com
Mon Dec 8 11:37:56 CET 2014


On Mon, Dec 8, 2014 at 10:12 AM, gnupgpacker <gnupgpacker at on.yourweb.de> wrote:
> Kristian,
> I am a little bit confused about your key design ;)
>
> Main key has options SC.
> There is an active newer signing key S, so this will be always used for
> signing?

My understanding is that if you have multiple signing subkeys on one
computer, GnuPG will use the most-recently-created signing subkey for
signing messages by default.

However, nothing stops you have from creating multiple signing subkeys
and distributing these to your different devices (e.g. SubkeyA for
your desktop, SubkeyB for your laptop, etc.).

Since all these signing subkeys are bound to your main key, signatures
generated by any of them are valid. Recipients who verify the
signatures do not need to be aware of the existence of other subkeys,
so long as the binding between the main key and the subkey used to
sign the message exists.

> And there are two active encryption keys E:
> GPG uses in my opinion only the key generated latest, isn't it?

Encryption subkeys are handled a bit differently. Typically GnuPG will
encrypt messages to the recipient's most-recently-created encryption
subkey. This makes per-device encryption subkeys a bit less practical.

> So how to desire which key is used?

You can specify a particular keyID by appending an exclamation point (
! ) after the key ID, fingerprint, etc.

See https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html
for details.

As an example, I have a DSA main key with the ID 0xDA122186. When I
generated it I also generated an ElGamal encryption subkey. Later, I
generated RSA encryption and signing subkeys. If I sign a message,
GnuPG will use the RSA signing subkey by default. If someone encrypts
a message to me, they will encrypt a message to the RSA encryption
subkey (as it is newer than the ElGamal one).

If I wanted to force GnuPG to sign a message with my DSA main key
instead of the RSA subkey, I could use the command "gpg --clearsign
--armor -u DA122186!". Similarly, if someone wanted to force a message
to be encrypted to my ElGamal subkey they could use "gpg --encrypt
--armor -r 19DF6C14!"

Cheers!
-Pete

> And what's about backward compatibility?
>
> Thanks for any hint, regards, Chris
>
>
>> -----Original Message-----
>> From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of
>> Kristian Fiskerstrand
>> Sent: Sunday, December 07, 2014 10:16 PM
>> Tomo: you'll find that my key have a few subkeys at least due to these
>> practises. It doesn't provide any issue for either keyservers or to
>> use more generally, but you are correct in that the information is
>> retained.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
Pete Stephenson



More information about the Gnupg-users mailing list