some beginner questions

Neal H. Walfield neal at walfield.org
Sun Apr 2 21:00:46 CEST 2017


At Sun, 2 Apr 2017 11:20:16 -0700,
Doug Barton wrote:
> On 04/01/2017 07:10 AM, Will Senn wrote:
> > 3. I've read
> > https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems
> > and other such pieces proclaiming the value of having the master key in
> > a safe place and having subkeys on your actual devices.
> 
> What do you think a master key is, and why do you think it's important
> to protect it? What kind of devices do you want to put signing subkeys
> on? Why do you think that your use of PGP will be more secure if you
> have a signing subkey on a device, instead of your "main key?"

Your main key is a unique global identifier.  It is what you write on
your business card and what you compare to validate a key.  If it is
compromised, then you need to revoke your main key and generate a new
one.  This means you have to throw away your old business cards and
inform all of your contacts that you have a new key.  If a subkey is
compromised, then you only need to rotate the subkey, not the whole
key.  In other words, you don't have to throw away your business cards
or inform your contacts that something has changed: their OpenPGP
implementation will automatically learn about the changes the next
time your key is refreshed.

In short, the main key acts as a level of indirection, which separates
your identity from your encryption/signing keys.



More information about the Gnupg-users mailing list