On 12/12/10 6:07 AM, David Shaw wrote: > > The flags you can turn on and off in expert mode are: > > Sign: sign data (i.e. sign a file) > Encrypt: encrypt > Authenticate: prove your identity (for example, sign a challenge > token presented by a server so it will let you in)
Ah, this explains its use for SSH as well. Nice. > You can't actually turn on or off certify (which is to sign a key - > either your own or someone elses). In OpenPGP, the primary key can > always certify (it may be able to encrypt/sign/authenticate as well, > but the only strict requirement is that it must be able to certify). > Without the ability to certify, you could never make a subkey, since > subkeys are signed by the primary key. Cool. On a tangential note, could this be used as a basis for applying a PKI/WoT model to certification of SSL keys, rather than relying on CAs? I don't really want to hijack my own thread, but I've always been deeply suspicious of the obvious money grab of the CA system of (mainly website) SSL certificates and I think alternatives a worth exploring. > So given that all primary keys will certify, you just need to decide > whether you want it to sign, encrypt, or both. The default is to > certify and sign, and that is what I recommend (no expert mode > needed). Cool. I've already had a play around with that, but having the option of skipping it is good for those who might be worried about messing it up. > Once you make that primary key, you just add subkeys for whatever > capabilities you desire. Again, the defaults are recommended (they > are correct for virtually everyone). I'd add a sign-only subkey and > an encrypt-only subkey. GnuPG will automatically use the subkey for > signing over the primary key for signing. I assume this means that if the primary key can sign & certify, that key will still be used to sign other keys even if there is a specific signing subkey for messages and files. Right? Regards, Ben
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
