On Tue, Sep 06, 2005 at 01:03:00AM +0200, Lionel Elie Mamane wrote: > On Mon, Sep 05, 2005 at 04:46:46PM -0400, David Shaw wrote: >> On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote:
>>> You could argue I could have this without marking the key as >>> certificate-only, by never issuing data signatures with the primary >>> key. That's harder on me. I have to be more cautious. Over the course >>> of twenty years, I *will* screw up. >> GnuPG actually makes it hard for you to screw up here. If there is >> a subkey that can sign, GnuPG will use it rather than the primary. >> The only way to get a signature (as opposed to a key certification) >> from the primary is to specify its key ID explicitly with an >> exclamation point. > Ah. Good. I just hope mutt doesn't pass the KeyID with an exclamation > point. Should check that. Also, when my signature subkey expires, it would (I guess) silently start using the primary. Which makes me _very_ happy I chose to make my primary certification-only, because signatures started to fail instead, which gave me notice and allowed me to issue a new signature subkey :) -- Lionel _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
