Hi all,I have read Adrian's tutorial at http://fortytwo.ch/gpg/subkeys and related documents, and I am yet unsure how to apply this technique to my situation where I have _two_ "insecure" locations instead of one.
You will find below: description of situation, my needs, how I did achieve something using Adrian's technique for my needs, tests, and additional questions. You can jump straight to the end if you are not interested by the details.
Here is the situation:- laptop as main personal computer, carried around and therefore not-so-secure,
- windows workstation at work, not-so-secure as well,- some other computer in "hidden" place, secure and not connected to the internet.
What I would like to: - send encrypted email with the insecure computers, - sign email with both insecure computers,- send encrypted-to-self email from the windows workstation, that can be decrypted on the laptop
- sign other keys with the laptop - read encrypted emails sent by other people to me on the laptop - no private encryption key on the windows workstation- have a subkey for "secure" communication attached to my primary key, so that people can send me stuff that can be read only on my secure computer
Here is what I did on the secure computer: 1. create a primary DSA key id# 0x5024FAE32. create a DSA signing subkey id# 0x66808804 for use on the windows workstation
3. create a DSA signing subkey id# 0xACD488B7 for use on the laptop 4. create an EL-Gamal encryption subkey id# 0xB8838617 for use on the laptop5. create an El-Gamal encryption subkey id# 0x7FEFD6B8 for use on the secure computer
6. export public keys to file 7. backup everything 8. delete 0xACD488B7 0xB8838617 0x7FEFD6B89. export secret subkeys 0x66808804, import them on windows workstation with public keys
10. restore everything 11. mark 0xACD488B7 as able to sign other keys 12. delete 0x66808804 0x7FEFD6B813. export secret subkeys 0xACD488B7 0xB8838617, import them on laptop with public keys
14. restore everything Here are the tests I did:- send signed mail and verify them on either insecure computer or 3rd-party with access to only public keys
- send encrypted mail with any computer and decrypt it on the laptop - encrypt data using the secure key, decrypt it on the secure computerHere are the tests I did not do yet (as of today, I don't have access to the secure computer):
- sign other keys, check signatures, etc. - sign other keys on the laptop without access to the primary key, - test everything with PGP Now, questions:Q1. how do you think other software (PGP, old GPG, ...) behave when they see multiple encryption public subkeys?
Q2. will signatures on other keys made with the laptop be recognised by other software? Is there anything I should care for w.r.t trust when I sign keys?
Q3. do you think it is better I do not entrust the laptop subkey to sign other keys?
For that last question I have to state the difference between the windows workstation and the laptop: the laptop is "more" secure than the workstation. If the laptop is compromised I would know about it immediately, and issue any relevant revocation certificates straight away. Any encrypted data on the laptop is deleted securely after I have decrypted it.
The windows workstation is quite secure (read: well-maintained configuration, good IT staff and workplace access control) but could be compromised at any time *by the company* without me knowing it, and data backups including my secret keyring will float around for several years. I will probably revocate company-related keys only when I leave the employment. Or maybe on a yearly basis. I don't know yet.
Therefore, any signature made with the laptop before the key is revoked should be trusted (as much as a signature made with the primary key), whereas any signature made with the windows workstation is valid only inside the company.
Q4. How can I mark my level of trust for the different subkeys using gnupg? Thanks in advance for any enlightenment, -- Raphaël Poss
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
