how to do

Paul R. Ramer free10pro at gmail.com
Thu Jul 10 01:26:28 CEST 2014


On July 9, 2014 11:40:06 AM PDT, MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>Hi
>
>
>On Wednesday 9 July 2014 at 5:54:36 PM, in
><mid:3222188.kZ1ztGDBqg at inno>, Hauke Laging wrote:
>
>
>> Am Di 08.07.2014, 14:41:36 schrieb J. David Boyd:
>>> which means that any of them can make changes to your
>>> keys.
>
>> And that is wrong.
>
>Please can you elaborate on how it is incorrect to say that somebody
>who knows the passphrase to a secret key can make changes to that key.
>Would this maybe be the case when using an encryption subkey with an
>offline main key?

If you make encryption and signing subkeys you can export them (i.e. the secret subkeys), create a new gnupg home directory, import the subkeys, change the password on them, and finally, export and distribute them to the people who are supposed to use them.

By doing this you can have a person who manages the master key separately under another password and the authorized users can use the encryption and signing secret subkeys without being able to make changes to them.

The person who manages the master key can add new UIDs for the any new user and give that person a copy of the secret subkeys with the password.  The only problem that I see right away is revoking control when one of the users leaves.  One way that you could remedy this is to revoke the old subkeys and issue new ones.

I am not recommending this method but it is a way that it can be done.

Anyway...

Cheers,

-Paul

--
PGP: 3DB6D884



More information about the Gnupg-users mailing list