Why create offline main key without encryption capabilities

Suspekt suspekt at gmx.de
Mon Jun 2 17:30:15 CEST 2014

Am 02.06.2014 17:01, schrieb David Shaw:
 > One problem with multiple encryption subkeys is that the person
 > encrypting to you doesn't know which one to use. As things stand in
 > OpenPGP clients today, unless the person encrypting explicitly
 > specifies which subkey to use (and not all clients even offer a
 > choice at all) they'll *a* subkey, which may or may not be the one
 > you (or they) would have wanted.
 > This problem doesn't exist in exactly the same way for multiple
 > signing subkeys since which key is used is under your control (the
 > signer), but there is a related problem in that you'd have a "low
 > security" signing key and a "high security" signing key. How does the
 > recipient know which is the intended one at any given time?  From the
 > recipient's perspective, it's just a good signature. There is no
 > "this is a good signature from my high security key" (there is a
 > "good signature from key XXXXX", but they don't know what additional
 > meaning you give to that key in particular).
 > To be sure, OpenPGP does have enough hooks and capabilities to
 > implement what you're talking about (signature notations to say "this
 > is my high security key", for example) but it isn't done at this
 > time.
 > David
Correct me if I'm wrong but doesn't GPG prefer the keys created last 
over keys created earlier? So it would use the every-day keys by default 
and use the high-security keys only if told specifically?


More information about the Gnupg-users mailing list