[linux-elitists] OT: new GPG key

David Shaw dshaw@jabberwocky.com
Wed Jun 11 22:41:34 PDT 2003


On Thu, Jun 12, 2003 at 06:25:16AM +0100, Karsten M. Self wrote:
> on Wed, Jun 11, 2003 at 06:42:41PM -0400, David Shaw (dshaw@jabberwocky.com) wrote:
> > Use a signing subkey.  It's the ideal way to handle the usual problem
> > of using portable and remote systems without having to make multiple
> > keys to do it.  It also means you don't need to get re-signed all the
> > time.
> > 
> > There are a few minor gotchas (all versions of GnuPG can handle it,
> > but only PGP 8 can verify the messages in PGP), but it works quite
> > well.
> 
> I'm not familiar with the concept.  Got any quick pointers?

Most OpenPGP keys these days look like:

  1 primary key
    1 or more user ids
    0 or more subkeys

All of the signatures you get from other people are on the primary key
plus a user id.  This primary key then, is the one that ties you into
the web of trust.  It follows that this is the most important part of
your key and should be protected.  Subkeys are trivial to make and
delete, and making a new subkey doesn't force you to get all of your
signatures again.

So given all that, a nice way to handle the multiple machine problem,
the portable machine problem, and the online/offline machine problem
is to make a key with two subkeys, one for signing and one for
encryption.  Keep the primary (signing) key offline, and just use the
subkeys for your day to day work.

A mini howto for this trick is in http://fortytwo.ch/gpg/subkeys/

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 261 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030612/92f8abb0/attachment.pgp 


More information about the linux-elitists mailing list