'sign (and cert)' or just 'cert' on a master key with subkeus

Andrew Gallagher andrewg at andrewg.com
Mon Jul 31 00:37:05 CEST 2017

> On 30 Jul 2017, at 21:19, Dirk-Willem van Gulik <dirkx at webweaving.org> wrote:
> I see a growing number of keys that have well managed & expired separate subkeys for Signing, Encryption and Authentication switch from ‘SC’ on the master key to just ‘C’ (all RSA, ignoring DSA).
> Would anyone know if there is some documented best practice ?

I don't think it particularly matters if you have both an S primary and an S subkey. I can't think of any use case where it would be a problem (although I'm sure now I've said it someone will correct me). 

What I have found problematic myself is having an A primary and an A subkey. This is because my primary is offline and I use smartcards for my subkeys, and there exist some applications which only accept one auth key. There have been times when I have mixed up my online and offline A pubkeys, which is not a security issue, but is a usability one.

So I personally would not recommend having more than one valid A (sub)key at any one time - purely for your own sanity. 


More information about the Gnupg-users mailing list