Thanks, now I see why I should use a exclusively subkey for authenticate capability. But I still did't know why the master key have sign and certify capabilities in the default ? I think the sign capability should move to a exclusively subkey.