The best practice of master/sub key capabilities
dongsheng.song at gmail.com
Sat Aug 22 17:25:27 CEST 2015
On Fri, Aug 21, 2015 at 6:49 PM, Peter Lebbing <peter at digitalbrains.com> wrote:
> On 21/08/15 11:31, Dongsheng Song wrote:
>> But I still did't know why the master key have sign and certify
>> capabilities in the default ?
> I suppose because it doesn't hurt. They're both signatures in essence;
> cryptographically they are the same and exchangable. The difference only
> lies in the interpretation.
> Also note that anyone who has access to the primary key material can
> issue data signatures at will. They could either add the Sign capability
> to the key or (easier) create a new subkey with which to issue signatures.
> The actual reason why the default is as it is can probably best be
> answered by someone else, though, since I can only guess.
Maybe create more subkey need more entropy, gain enough entropy need
very long time ?
Now I want to create my new key like this:
sec rsa4096/93D374EB 2015-08-22 [C]
uid [ultimate] example <example at someone.xyz>
ssb rsa2048/466D08E1 2015-08-22 [S]
ssb rsa2048/AD92E667 2015-08-22 [E]
ssb rsa2048/07DEFA25 2015-08-22 [A]
ssb ed25519/AE83BE7C 2015-08-22 [S]
ssb cv25519/0FACE148 2015-08-22 [E]
ssb ed25519/610E5096 2015-08-22 [A]
If something bad happened to my subkeys, I can create new subkeys as well.
More information about the Gnupg-users