some beginner questions

Will Senn wsenn1 at twu.edu
Mon Apr 3 01:23:14 CEST 2017


On 4/2/17 2:00 PM, Neal H. Walfield wrote:
> At Sun, 2 Apr 2017 11:20:16 -0700,
> Doug Barton wrote:
>> On 04/01/2017 07:10 AM, Will Senn wrote:
>>> 3. I've read
>>> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems
>>> and other such pieces proclaiming the value of having the master key in
>>> a safe place and having subkeys on your actual devices.
>> What do you think a master key is, and why do you think it's important
>> to protect it? What kind of devices do you want to put signing subkeys
>> on? Why do you think that your use of PGP will be more secure if you
>> have a signing subkey on a device, instead of your "main key?"
> Your main key is a unique global identifier.  It is what you write on
> your business card and what you compare to validate a key.  If it is
> compromised, then you need to revoke your main key and generate a new
> one.  This means you have to throw away your old business cards and
> inform all of your contacts that you have a new key.  If a subkey is
> compromised, then you only need to rotate the subkey, not the whole
> key.  In other words, you don't have to throw away your business cards
> or inform your contacts that something has changed: their OpenPGP
> implementation will automatically learn about the changes the next
> time your key is refreshed.
>
> In short, the main key acts as a level of indirection, which separates
> your identity from your encryption/signing keys.
Sounds like what I was led to believe to be the case, but at the end of
the day, I don't seem to be able to sign anything with the signing
subkey if the master key is not present (with sec instead of sec#). Do
you know how I get it to use the subkey (the manual says it will default
to a signing subkey, but that's not my experience).

Thanks,
Will

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170402/adf569b6/attachment.sig>


More information about the Gnupg-users mailing list