Trying to understand the bond between master and subordinate key pairs

Faru Guredo faruguredo at gmail.com
Wed Feb 12 04:02:51 CET 2014 

I’ve read GNU Privacy Handbook, the FAQ and thought I understood the
purpose of all four keys initially generated with --gen-keys.
But then I found this https://wiki.debian.org/subkeys and lost it.

tl;dr: There is suggested backup of ~/.gnupg, creation of a new pair of
subkeys for signing, then all public keys and secret subkeys are exported,
master key (for signing) is removed (but still available in backup) and
finally public keys along with secret keys are imported back. This is
suggested — as far as I understand — in order to keep the original master
key for signing in a secret place, because master signing key = my genuine
identity. But.

Which public keys should be uploaded to the keyserver? Other people may
verify your signature and encrypt files for you only if they have
corresponding public keys (of yours). But what about gathering signatures
of other people on your own public key? Should I upload public key of my
master signing key along with the public key of the subordinate keypair I
am planning to use daily? If not, what is the purpose of the public part of
the master keypair? If I will not upload it, how other people will verify
signatures I made on their keys or my own keys? Does it all mean I need at
least three public keys to be known to other people — two for daily signing
and encrypting and one to verify master key signatures? Do they even need
to verify what I sign with my master key (I mean my keys and their keys)?

I don’t get the bond between master keys and subordinate keys. Does it even
exist? To me they look like totally different keys. Okay, when I usually
sign files with key AAAAAAAA when I send them to Alice, and eventually I
want to sign her key (…which of her keys, actually? The one she uses daily
or the one she keeps like me? If she keeps it, how did it get to me? Which
public keys supposed to collect signatures of other people — of the master
one or newly created subordinate one?), I need to use my master key
BBBBBBBB. How does she know that BBBBBBBB is also my key if they have
different IDs? (Let’s assume public key of the master pair is irrelevant,
and signing pubkey exchange is done via subordinate pair which never
expires.)

Sorry for my English.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140212/84d56ca8/attachment.html>

More information about the Gnupg-users mailing list