The best practice of master/sub key capabilities

Dongsheng Song at
Sat Aug 22 17:25:27 CEST 2015

On Fri, Aug 21, 2015 at 6:49 PM, Peter Lebbing <peter at> wrote:
> On 21/08/15 11:31, Dongsheng Song wrote:
>> But I still did't know why the master key have sign and certify
>> capabilities in the default ?
> I suppose because it doesn't hurt. They're both signatures in essence;
> cryptographically they are the same and exchangable. The difference only
> lies in the interpretation.
> Also note that anyone who has access to the primary key material can
> issue data signatures at will. They could either add the Sign capability
> to the key or (easier) create a new subkey with which to issue signatures.
> The actual reason why the default is as it is can probably best be
> answered by someone else, though, since I can only guess.

Maybe create more subkey need more entropy, gain enough entropy need
very long time ?

Now I want to create my new key like this:

sec   rsa4096/93D374EB 2015-08-22 [C]
uid         [ultimate] example <example at>
ssb   rsa2048/466D08E1 2015-08-22 [S]
ssb   rsa2048/AD92E667 2015-08-22 [E]
ssb   rsa2048/07DEFA25 2015-08-22 [A]
ssb   ed25519/AE83BE7C 2015-08-22 [S]
ssb   cv25519/0FACE148 2015-08-22 [E]
ssb   ed25519/610E5096 2015-08-22 [A]

If something bad happened to my subkeys, I can create new subkeys as well.

More information about the Gnupg-users mailing list