On Sun, 11 Jan 2015 18:37:36 -0800 Brian Dolbec wrote: > When you add a signing subkey, that subkey then becomes the default key > used for signing with. If you have more than one signing subkey, the > default can be set in gnupg.conf without editing the key. Otherwise > you must specify which key to sign with. It is much easier to > revoke that signing subkey and add a new one, without the need to > create an entirely new key, losing all the key signatures it is signed > with. If you revoke a primary key, all subkeys it contains are revoked > as well. In that article the author describes how to generate the > subkeys and remove the original (master) keypair for installation on a > laptop, desktop, etc. (separate subkeys for each machine) which may be > stolen. You keep the original(master) keypair in a secure location (eg: > bank safe deposit box, etc.) If the laptop is stolen, the thieves do not > have access to modify the gpg keys (even if they have the password), > and those specific subkeys can be easily revoked, without losing your > entire gpg key and the signatures it has accumulated. Using your master > keypair you generate new subkeys for installation on your replacement > laptop, and continue...
I still don't understand why requirement of a separate signing subkey is mandatory in GLEP:63. I solves such a corner case where other solutions are possible meanwhile, e.g. encrypt your laptop's HDD, use a LUKS partition on top of it, store password-protected secret key there. In fact the most dangerous attack is in-memory breach when key is being stolen from memory without any trace (Heltzner hosting breach comes to my mind here) and a separate signing subkey wouldn't help here at all. While this requirement may improve security a bit, it should go to recommendations and not to bare minimum stuff. Even document referenced by GLEP:63: RiseUp.net OpenPGP best practices [https://we.riseup.net/riseuplabs+paow/openpgp-best-practices] points out that a separate signing subkey is only an optional bonus: (bonus) Have a separate subkey for signing, and keep your primary key entirely offline. Meanwhile link above is outdated and the following should be used instead: https://help.riseup.net/en/security/message-security/openpgp/best-practices On the other hand GLEP:63 allows weak algos like DSA-2048, which makes me shivers. Yes, DSA-2048 is not officially broken yet, but with RSA-1024 already broken in open media I don't trust 2048 algos, especially when they have numerous design flaws (like good entropy requirement for every signing) and implementations weakness are likely to be there. Agencies are always a few steps ahead, so this should be taken into account. Best regards, Andrew Savchenko
pgpuc0hBaMw1y.pgp
Description: PGP signature
