-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Dwyer escribió: > Hi everyone, > > I am new to all this and have been alot of reading. > > One thing i cant get my head around is subkeys. I have generated a sub > key with my master key and i undestand that. All the commands and thing > i have been doing i have been using my master keys id... should i be > actively using my sub key? or does it just use it as i talk to people?
Hello, and yes, I think subkeys are confusing... I am still a bit confused... Anyway, there are a few things I understood, and they are: 1.- There are keys used to sign, and other keys used for encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt but not sign. RSA can do both functions, but the function intended for it must be defined at the moment of creating the key. And that is the reason to use "key pairs", because a singe key can't do both functions. 2.- You can make a key pair using DSA-Elgammal, or RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that. 3.- A key pair is always composed by a primary key (used to sign), and a subkey used to encrypt/decrypt. 4.- You can add more subkeys, for signing and for encrypting. But I don't have any idea about how does GnuPG chose what key is going to use... 5.- The primary key is the only key that can sign other keys. 6.- But if you have a signing subkey, and an encrypting subkey, you can use these subkeys pair to sign and encrypt... you can even export the secret keys and store them safe, then export the subkeys, delete the key, import the subkeys, and be able to do everything, except to sign other people's keys. You can revoke the subkeys, if they get compromised, and since the primary key would not be compromised, you can import it, make a new subkeys pair, and keep functioning with the same master key ID (so, you would not lose the signatures people have done to your key). 7.- If you delete a subkey used to encrypt, you won't be able to read messages sent to you encrypted for that subkey, so, if you have to revoke a subkey, do it, but never delete it. And that is all I know about the subject... So, you don't have to do anything to use your subkey, it is already being used anytime you need to encrypt/decrypt. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJITgBqAAoJEMV4f6PvczxAWB8H/RWpE1qesd5I13Rnj5S/2ILr mPj2SuSVKHYc5qZuLuGRxw+2gaXO8icMb91Fep58DTivvJFpat3KEkypWAPSyhH1 8pbm69l813Z1Ok+1uIaUXxEyaKQJOEnCejfp0qK+Ow7Yy+V61lBzl8shssll/Upb q5eUeaofqRdkujEOfKVdRd4KdsWS6+Giu+a+HbJiiwC5UjM5Js8qj94aFCYtXrfT b4CnYmTW89ekMz9iL51J9EBXzrkoZ4nQaLgQ875xLwsNyFjy+Cer5+j4+TziPz8j FgsV5t3AY8W7wLiMbMviiWJ0Uqv792Kjs85+qfMsDVp61jqCaX6MkBWzEBR3lQk= =zuH8 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
