Usage text

Peter Lebbing peter at
Tue Feb 9 11:24:06 CET 2016

On 06/02/16 15:17, Robert J. Hansen wrote:
> Proposed FAQ language -- feel free to criticize, to suggest alternate
> phrasings, or anything else.  :)

While the primary key is certainly in a subordinate position to the
certificate, I don't think it's common to refer to it as a subkey of the
certificate? In my mind, you have the primary key, and zero or more
subkeys. So I suggest the following:



Q: When I view my certificate I see letters like S, C, E, and A.  What
do they mean?

A: Your certificate contains two or more cryptographic keys. There's a
primary key, and possibly several subkeys. Different keys get used for
different sorts of tasks.

There are four different tasks a key can perform.  It can

	* (S)ign data, so others know it came from you
	* (C)ertify somebody else's certificate, so others
          can see you vouching for it
	* (E)ncrypt data to you
	* (A)uthenticate you to a computer system

For instance, looking at my own certificate, we see:

    laptop:~ rjh$ gpg --edit-key rob at
    Secret key is available.

    sec  rsa3072/1DCBDC01B44427C7
         created: 2015-07-16  expires: never       usage: SC
         card-no: 0005 00000D18
         trust: ultimate      validity: ultimate
    ssb  rsa3072/DC0F82625FA6AADE
         created: 2015-07-16  expires: never       usage: E
         card-no: 0005 00000D18
    [ultimate] (1). Robert J. Hansen <rob at>
    [ultimate] (2)  Robert J. Hansen <rjh at>

Key 1DCBDC01B44427C7 can be used to sign data or certify other
people's certificates; subkey DC0F82625FA6AADE can only be used to
encrypt data.

The primary key is always the key to certify other people's
certificates. This is never a task for a subkey.

You don't need to keep track of subkeys.  GnuPG will never ask you for a
specific key in a certificate.  Instead, GnuPG will ask you for a
certificate ID. GnuPG will then use whichever (sub)key is appropriate
for the task it's performing.  If two or more keys in the certificate
are appropriate, it will use the newer one.


I also emphasized the first letters of the words. People who like
certain puzzles will immediately notice the correspondence of the first
letters of your itemization to the letters of the capabilities, but
others might need to hunt for it before they get it. Typographically, it
did suffer. Feel free to remove it, but you could also use boldface.

By the way, I think the abbreviations GnuPG uses are in favour of my
interpretation of the word subkey:

pub - public key
sub - subkey
sec - secret key
ssb - secret subkey

Then again, I'm interpreting these terms coming from my view of the
terminology, so it's a bit of a circular reasoning :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list