[Feature Request] Multiple level subkey

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 12 18:01:11 CEST 2017


On Sun 2017-09-10 21:17:33 +0200, lesto fante wrote:
> here i want to AUTOMATE, make this thing MORE EASY to use than a
> common password approach.

I understand that you're trying to make *your* life easier.  But the
choices you make also have an impact on the people who look at your
public keys.  An OpenPGP certificate with a single master
certification-capable public key and several different
signing/encrypting/authenticating subkeys is already pretty complex, but
we have toolchains that are (starting to be) able to deal with that
situation.

If you try to introduce this multi-level arrangement, you're pretty
likely to force *other* people (whose toolchains you have even less
control over) into situations that will be LESS EASY and
NON-AUTOMATABLE.  I don't think this is a great tradeoff for the
ecosystem.

Keep it simple :)

> This approach MUST be "housewife proof";

Please don't default to using a woman as the canonical example
non-technical/clueless user.  The computer security community already
has enough problems with gender bias.  It's unfriendly and unwelcoming
in ways that we need to outgrow.  And it's wrong -- real-world
housewives (and "moms" and "grandmas" to name a few other common sexist
"female clueless user" tropes) are often expected to figure out many
things that are outside of their field of expertise and then aren't
given any intellectual credit for navigating complex and changing
requirements and exepctations.

If you need an example of someone who doesn't really understand things
at a technical level but needs to have stuff Just Work for them anyway,
i've seen Cory Doctorow suggest using "your boss" as the canonical
example :P

All the best,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170912/6da69f15/attachment.sig>


More information about the Gnupg-users mailing list