Mainkey with many subkeys??

Tomo Ruby tomofr at web.de
Thu Dec 11 15:15:26 CET 2014


> Recommended by whom and against what threat model? And, really, the
> same lifespan for signing keys as for encryption keys?

To be honest I didn't think and search about that too much, but that was not the point anyways...

> My take on the advice I have most often seen in previous
> discussions is to set fairly short expiry dates, and make the decision
> whether to replace it or extend its life when the expiry date is
> approaching.

How do you judge whether to replace the key or not? Of course there are obvious opportunities when to replace keys but if nothing special (like the system being compromised) happens, I really know only of this approach:
The more encrypted/signed data I spread over the web, the easier it might be for an attacker to calculate the secret key. And because of that I'd replace on a regular basis. Please correct me here if I'm wrong!!

> A lot of keys are created without expiry date. This is the GnuPG
> default; we are frequently exhorted that the defaults are chosen to be
> sensible for most users, and to only deviate if you know what you are
> doing _and_why_.

See above, besides Enigmail for example uses default values with expiration dates...

> A large proportion of keys do not have a signing subkey (certainly of
> the 32 we currently encrypt messages to for the PGPNET discussion
> group [0], last time I looked there were about 12 or 14 with signing
> subkeys).

I'm not sure if I understand you right here but if you ask why I would use a subkey to sign, the answer is: Because I want to use an offline mainkey and subkeys for the daily work...

> And an individual who uses GnuPG only for email communication and file
> encryption has no need of an authentication key. That is probably a
> large percentage of users.

Well that was actually the reason I started this whole process of reading, searching and now discussing: I want to use my key to authenticate to an SSH-Server...
And to answer to the message of Doug Barton on Tue Dec 9 00:26:30 CET 2014: The sign and encrypt subkeys are mostly used for emails and a little bit of "offline encryption".

Thanks again for the help! I really appreciate it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141211/84709ab1/attachment.sig>


More information about the Gnupg-users mailing list