Why create offline main key without encryption capabilities

Suspekt suspekt at gmx.de
Sun Jun 1 21:12:49 CEST 2014


Am 01.06.2014 16:17, schrieb Hauke Laging:
> Am So 01.06.2014, 12:54:30 schrieb Suspekt:
>
>> But I yet have to find someone recommending to use the offline
>> mainkey also for encryption/decryption of files, that are so
>> important that subkey encryption/decryption is not secure enough.
>
> I do :-)
>
> http://www.openpgp-schulungen.de/kurzinfo/schluesselqualitaet/#offline
>
>http://www.openpgp-schulungen.de/scripte/keygeneration
 > /key-generation.sh

Hauke, I read your site, but obviously I should should read them again.
A great help by the way!


>> Is there a reason for that? Am I missing something?
>
> There are certain risks using the same RSA key for encryption and
> signing. If you make a blind signature over data someone supplied
> then you unintentionally decrypt the data (and send it back).
I don't get it. Decrypting data by signing it?

> There are legal and organizational arguments, too:
>
> 1) If you are forced to give a decryption key to the authorities then
> it is an advantage if they cannot use this key to forge signatures.
Thats a good point! Also it will be interesting to explain the judge
the details of PGP, main keys and subkeys ;)
Probably we have to get an expert from the CCC for that

> 2) If a signature key has expired then you may delete the private
> part. You should usually never throw away a decryption key, though,
> as it can happen that you have to decrypt data long after the public
> part has expired.
>
> I say: Everyone needs keys at different security levels (German):
> http://www.crypto-fuer-alle.de/wishlist/securitylevel/
Thanks, I'll have a look

> E.g. the key which is going to sign this email is not suitable for
> handling really important data. But as long as hardly anybody has a
> complete high-security key it seems useful to have at least the
> mainkey as a last resort.
>
> Technically you could use other subkeys for higher security levels –
> but who would understand that? Seems very dangerous to me, more
> dangerous than using the mainkey.
>
>
> Hauke
>

suspekt



More information about the Gnupg-users mailing list