Why create offline main key without encryption capabilities

[David Shaw]

On Jun 1, 2014, at 3:25 PM, Suspekt <suspekt at gmx.de> wrote:

> OK,lets take the forced-by-law-theory in account. Than the "best" way from a pure security-standpoint in this regard would be:
> 0. OFFline-mainkey (certification of own keys and other people's keys)
> -> 1. OFFline-subkey (signing)
> -> 2. OFFline-subkey (encryption)
> -> 3. ONline-subkey (signing)
> -> 4. ONline-subkey (encryption)
> 
> You use keys 3&4 for everyday-usage. You use keys 1&2 for high-security operations. If you get forced by authorities you would give them exactly the keys they demand (lets say key 1 and key 4), revoke them and create new ones with your offline-mainkey (key 0).
> Or they just force you to hand over your entire keyring but then this whole thing would be half the fun

One problem with multiple encryption subkeys is that the person encrypting to you doesn't know which one to use. As things stand in OpenPGP clients today, unless the person encrypting explicitly specifies which subkey to use (and not all clients even offer a choice at all) they'll *a* subkey, which may or may not be the one you (or they) would have wanted.

This problem doesn't exist in exactly the same way for multiple signing subkeys since which key is used is under your control (the signer), but there is a related problem in that you'd have a "low security" signing key and a "high security" signing key. How does the recipient know which is the intended one at any given time?  From the recipient's perspective, it's just a good signature. There is no "this is a good signature from my high security key" (there is a "good signature from key XXXXX", but they don't know what additional meaning you give to that key in particular).

To be sure, OpenPGP does have enough hooks and capabilities to implement what you're talking about (signature notations to say "this is my high security key", for example) but it isn't done at this time.

David