Migrating key to smartcard
dgouttegattat at incenp.org
Wed Jul 6 10:25:58 CEST 2016
On 07/05/2016 09:27 PM, Karol Babioch wrote:
>> No, only the master key can sign other keys.
> Is this a limitation of GPG and my premises or is this something
> inherent to the OpenPGP standard?
According to the standard, any key with the "Certify" flag set can be
used to sign other keys. And unless I'm mistaken, the standard does not
explicitly restrict this flag to master keys only.
So, I guess it should be possible (at least in theory) to have a subkey
with this flag, and to use it to sign other keys. But I don't think
GnuPG allows to do that (or any other OpenPGP implementation).
> Storing the master key offline and having to import it whenever I want
> to sign other keys might actually decrease security, since it offers
> enough of a possiblity to mess things up
True enough. In my case, I try to minimize the risk of human error by
using a script which automatically brings the key online (from its
offline USB storage), executes a single GnuPG command, then remove the
If you are interested, I've written a blog post  in which I give an
example of such a script.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users