Mainkey with many subkeys??

gnupgpacker gnupgpacker at on.yourweb.de
Mon Dec 8 16:28:49 CET 2014


Hello,

> -----Original Message-----
> From: Kristian Fiskerstrand
> Sent: Monday, December 08, 2014 12:44 PM
> 
>> Main key has options SC. There is an active newer signing key S, so
>> this will be always used for signing?
> Correct

Why has the mainkey SC if signing is not used? Are there some compatibility reasons?

>> And what's about backward compatibility? 
> Backwards compatibility in which capacity? Encryption subkeys are well
> supported, signing subkeys are not supported by older versions of PGP,
> but people should not be using these versions anyways.

I am working on some new keypairs with backwards compatibility, pls see this thread:
http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051808.html 

Some corporate partners are still using older versions of Symantec's PGP with WinXP, mostly for intranet. Problems with signing keys are known, sometimes it works, sometimes not. It is very difficult to rate compatibility because Symantec's enterprise support (!) isn't be able to send me old PGP versions for testing.

Compatibility seems to be depending on order of subkey creation: 
If encryption key is latest, it is working.
If signing key is latest, mostly it is not working.
DSA signing keys are only accepted if max 2048 bit!?
If signing key is not the latest one and will be exchanged, it steps to last position => mostly not working.
And so on...

Best combination found so far:
Example-keystructure:
pub  4096R/97CA9679  erzeugt: 2014-11-22  verfällt: niemals     Aufruf: C
               Vertrauen: uneingeschränkt     Gültigkeit: uneingeschränkt
sub  4096R/9D22119A  erzeugt: 2014-11-22  verfällt: 2016-11-21  Aufruf: A
sub  2048D/37F05D01  erzeugt: 2014-11-22  verfällt: 2016-11-21  Aufruf: S
sub  4096R/884627F6  erzeugt: 2014-11-22  verfällt: 2016-11-21  Aufruf: E
 [  unbek.] (1). vorname nachname (kommentar) <name at edu.com>

Is there any possibility to change order of subkeys in keypair?

Thanks for any hint, regards, Chris





More information about the Gnupg-users mailing list