On Thu, 25 Apr 2019 12:57:54 +0100 Marek Szuba <mare...@gentoo.org> wrote:
> On 2019-04-24 20:34, Rich Freeman wrote: > > > The only reason to have a separate primary key is to have an offline > > copy, > > Not quite. First and foremost, you do not want to have an offline copy > of the primary private key - you want to have the primary ENTIRELY > offline. This has confused me. Granted, GLEP 63 does not say anything about where to store the primary key but I followed the Debian guide at https://wiki.debian.org/Subkeys, believing it to be best practise and if I understood it correctly, it only removes the primary private key from the online copy and not the entire primary key. The --list-keys option shows an [SC] primary with an [E] subkey and an [S] subkey and I gathered from a conversation in #gentoo-dev that this is correct. Are you suggesting the [SC] primary should not appear here at all? > Secondly, the reason for that is not (just) to have a backup > but that the primary private key gives you virtually unlimited control. Are you contradicting yourself here? You explained why the private key must be kept secure but you didn't say anything about the rest of the primary key. -- James Le Cuirot (chewi) Gentoo Linux Developer
pgpVGro7fCSWU.pgp
Description: OpenPGP digital signature
