'sign (and cert)' or just 'cert' on a master key with subkeus

Robert J. Hansen rjh at sixdemonbag.org
Mon Jul 31 17:41:58 CEST 2017

> Could probably be a direct application of this Debian article (1) on
> subkeys. And meant to to facilitate the recovery of the web of trust in
> case of disaster.
> On a separate tutorial (2), Alan Eliasen strongly advises against this
> practice.

I hate to say something bad about a tutorial someone put so much obvious
love into, but most of these tutorials are _just plain bad_.  And even
the good ones, I don't recommend.

A newcomer to GnuPG needs to be told the defaults are safe for the vast
majority of users, that GnuPG does not require any special tuning before
use, and that the developers chose the defaults very carefully to be
applicable to the vast majority of users.

Debian may have specific needs which GnuPG does not meet in its default
configuration.  So if Debian wants to put together a tutorial teaching
people how to configure GnuPG in a way that meets the Debian developer
needs, I'm all in favor of that -- but I wince every time I see a
newcomer to GnuPG think that process is somehow necessary for them to
follow.  It's not.  Use the defaults until and unless you can articulate
a specific and compelling reason to deviate from them.

More information about the Gnupg-users mailing list