Why Signing key part of Master key
Farhan Khan
farhan at farhan.codes
Sun Feb 24 20:53:53 CET 2019
February 24, 2019 2:39 PM, "Kristian Fiskerstrand" <kristian.fiskerstrand at sumptuouscapital.com>
wrote:
> On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote:
>
>> Hi all,
>>
>> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
>> question, why is the signing key part of the master key? Why not have it be a subkey? Almost
>> everywhere I looked, the two were a single key except this site
>> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
>> functionality worked the same when they the signing key was a subkey versus a part of the master.
>>
>> Are there any advantages of disadvantages either way?
>>
>> Thank you,
>
> its mostly a sensible default as people tend to keep key material on
> disk on online computers to begin with.. the benefits of a separate
> primary normally comes out in scenarios with stronger security
> requirement, at which point the manual interaction required to set it
> up isn't the biggest hurdle anyways, but actually keeping up with
> operational security is.
>
> (note, its not the SC capable primary that is the issue to begin with,
> but actually keeping it isolated, the primary will always be able to
> become signing-capable anyways by updating the flags on its self-signature)
>
> --
> ----------------------------
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com
> Twitter: @krifisk
> ----------------------------
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> ----------------------------
> Corruptissima re publica plurimæ leges
> The greater the degeneration of the republic, the more of its laws
I was under the impression that best practice was to keep the master key offline in cold storage.
If so, wouldn't that make having the signing key impossible to use?
And if so, is it possible to remove the Signing functionality from my Certificate key that I already generated?
---
Farhan Khan
More information about the Gnupg-users
mailing list