The best practice of master/sub key capabilities

Peter Lebbing peter at
Fri Aug 21 12:49:05 CEST 2015

On 21/08/15 11:31, Dongsheng Song wrote:
> But I still did't know why the master key have sign and certify
> capabilities in the default ?

I suppose because it doesn't hurt. They're both signatures in essence;
cryptographically they are the same and exchangable. The difference only
lies in the interpretation.

Also note that anyone who has access to the primary key material can
issue data signatures at will. They could either add the Sign capability
to the key or (easier) create a new subkey with which to issue signatures.

The actual reason why the default is as it is can probably best be
answered by someone else, though, since I can only guess.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list