Why Signing key part of Master key
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Sun Feb 24 20:39:39 CET 2019
On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote:
> Hi all,
>
> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
> question, why is the signing key part of the master key? Why not have it be a subkey? Almost
> everywhere I looked, the two were a single key except this site
> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
> functionality worked the same when they the signing key was a subkey versus a part of the master.
>
> Are there any advantages of disadvantages either way?
>
> Thank you,
its mostly a sensible default as people tend to keep key material on
disk on online computers to begin with.. the benefits of a separate
primary normally comes out in scenarios with stronger security
requirement, at which point the manual interaction required to set it
up isn't the biggest hurdle anyways, but actually keeping up with
operational security is.
(note, its not the SC capable primary that is the issue to begin with,
but actually keeping it isolated, the primary will always be able to
become signing-capable anyways by updating the flags on its self-signature)
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190224/125ebb41/attachment.sig>
More information about the Gnupg-users
mailing list