On Tue, Nov 08, 2005 at 12:27:13PM +0100, Christoph Anton Mitterer wrote: > Hi folks! > > Ok,.. I know that you can set at least the following flags to specify > the purpose of a key: > A - authorsation > C - certification > E - encryption > S - signation > > Ok,.. as far as I understood, if a key is C-only that this indicates > that it is used solely for signing other keys, but not for signing > normal data, correct? > > Ok,.. I thought about that and came to the result - correct me if I'm > wrong - that it would be more secure to use the primary key only for > certificating other keys (and of course for self-sigs). > > Ok my current key looks like the following: > primary: CS, RSA-S, 4096 bit > secondary: E, ElGamal, 4096 bit > > So I think it would be better to have the following: > primary: C, RSA-S, 4096 bit > secondary: S, RSA-S, 4096 bit > secondary: E, ElGamal, 4096 bit > > Ok... > 1) Is it advisable at all?
Yes. Many people do it this way, including myself. It's not actually an RSA-S key (that's deprecated), but a regular RSA key with the S flag set. However, you don't actually want to change the primary from CS to C. > 2) Can I change this with GPG (without having to create a new key, of > course)? > 3) If not: Is this function going to be intruduced in GPG the next time? > 4) If not: How could I do that else? You can add a signing subkey any time you like. This doesn't flip your primary CS key into a C only key, but that doesn't matter much. If GnuPG sees you have a signing subkey, it will always choose it in favor of the primary key when making a signature. You don't want a C only primary key because if you go to a key signing party, you may be asked to sign a challenge to prove you own your key. This challenge must be signed with the primary key to be valid. > 5) Would it change my primary key in such a way, that it renders the > signatures that I've already received from other users invalid? No. This does not affect third-party signatures. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
