The best practice of master/sub key capabilities

Simon Josefsson simon at josefsson.org
Sat Aug 22 00:12:02 CEST 2015


Dongsheng Song <dongsheng.song at gmail.com> writes:

> Hi all,
>
> When I create new master/sub key, in the following 2 choice, I'm
> wondering which is better?
>
> 1) master key have SCEA capabilities
>
> sec  rsa4096/A19676A1
>      created: 2015-08-20  expires: never       usage: SCEA
>      trust: ultimate      validity: ultimate
> ssb  rsa4096/27ADD750
>      created: 2015-08-20  expires: never       usage: SEA
>
> 2) master key have only Certify capability
>
> sec  rsa4096/1F8AFCAD
>      created: 2015-08-20  expires: never       usage: C
>      trust: ultimate      validity: ultimate
> ssb  rsa4096/8E1D2A87
>      created: 2015-08-20  expires: never       usage: SEA

I would use a SC master key because I would want to use it to certify
other's keys, and would also be able to use it to sign statements in
case something bad happened to my sub-keys.

I would use three separate sub-keys, one each for the three SEA usages.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20150822/98dedb76/attachment.sig>


More information about the Gnupg-users mailing list