Best practices for securely creating master RSA key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon May 12 18:52:47 CEST 2014


On 05/12/2014 03:35 AM, Tomer Altman wrote:

> You recommend creating a revocation certificate against the private key, but the GPG documentation seems to recommend creating the revocation certificate against the public (sub-)key:
> 
> https://www.gnupg.org/gph/en/manual.html#REVOCATION
> 
> What are the pluses and minuses of the two approaches?

I think they're not different approaches.  you need the secret key to
make a revocation certificate, but it applies to the full OpenPGP
certificate anchored by the primary key.

there are different kinds of revocations that you can make: a revocation
that revokes a subkey or a user ID is narrower than a revocation that
revokes a primary key.

If you still have exclusive access to the primary key, then you can
always issue one of the narrower certifications yourself directly.

So the only thing you need a revocation certificate for is for the
primary key.  Does that make sense?

> Also, do you know if such a set of recommended steps is documented somewhere. I *swear* that I saw it somewhere on the myriad GPG webpages, but now I can't seem to find it. If it does not exist, do you think it would be worthwhile to add it somewhere, perhaps as a FAQ entry?

There are indeed lots of documents in existence that touch on these
ideas, but that's understandable since there is no one single best way
to create an OpenPGP certificate for ever: too many circumstances that
have different goals and requirements.  I think it's entirely legitimate
to write up a high-quality reasonable suggestion for a common use case
though, which is what it sounds like you're aiming for.

And maybe some (or all) of it should go in the FAQ, but i'll let Robert
(who maintains the FAQ, iirc) weigh in on that.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140512/77fbfa93/attachment-0001.sig>


More information about the Gnupg-users mailing list