best practices for creating keys

Peter Lebbing peter at digitalbrains.com
Fri Nov 27 13:10:11 CET 2015


On 27/11/15 12:41, Andrew Gallagher wrote:
> There's a post about how to do this in the list archives:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2009-May/036505.html

Thanks for the pointer!

> ... but it's really not worth your while. So long as your primary key
> doesn't have E usage set*, you can create new A and S subkeys and simply
> refrain from using the primary key for those functions.

I agree for the most part. I'm not so sure about how easy it is to refrain from
using an A-capability. I think when an SSH server indicates it accepts a
signature from my primary key, and that primary key is on a smartcard, GnuPG
will try to do that. So that is in the hands of the server, not the client.
Although you might be able to disable it with an sshcontrol file, I'm not sure
of the exact way it all interacts.

> The only problem you might run into is if one of your correspondents is
> using broken client software that doesn't check signatures against
> multiple subkeys. I've no idea how likely this is though.

Kill that client software until dead. Then some more.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list