master key certify capability

Konstantin Ryabitsev konstantin at linuxfoundation.org
Fri Jan 3 21:18:22 CET 2020


On Fri, Jan 03, 2020 at 07:06:42PM +0100, john doe wrote:
> $ gpg -K
> 
> -----------------------------
> sec   rsa4096 2020-01-03 [C] [expires: 2020-01-04]
>       3C5CFD620005347A62052A6B596CB80D30E8829D
> uid           [ultimate] Firstname Lastname <test at example.com>
> ssb   rsa4096 2020-01-03 [S] [expires: 2020-01-04]
> ssb   rsa4096 2020-01-03 [S] [expires: 2020-01-04]
> ssb   rsa4096 2020-01-03 [E] [expires: 2020-01-04]
> 
> 
> Is there any downside to have my master key with the certify capability
> only?

None.

> In other words, is it required for the master key to have the sign and
> certify capabilities.

It's not, and having a separate S subkey allows you to remove your 
certify key to offline storage for better safekeeping (e.g. see 
https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md#moving-your-master-key-to-offline-storage)

Regards,
-K



More information about the Gnupg-users mailing list