Am Montag, 2. Mai 2011, 16:47:31 schrieb patric...@lavabit.com: > My idea is to create a master signing key on an offline > computer(persistent live usb). Then create two subkeys that have regular > expiration dates. One encryption key and one additional "daily-use" > signing key.
You can create the master key without any capability except for certification. It is theoretically possible to use several keys (main key and subkeys) within one key for signing and give the signatures different meanings (e.g. "daily use" vs. "high security") but I think that most people would not notice the difference. So IMHO the only reason for having several simultaneously valid keys with the same ability in one key is compatibility: Use the strongest key (and have the others use it) whenever possible, otherwise use the worse fallback. I think it's a good idea to have signature and encryption keys of different quality but I would advice to use different main keys for that. That allows the others to understand the difference from a simple look at the UID (when using comments like "daily use" and "high security"). > Would this create any > problems for those reading and verifying my emails? No. Subkeys are a normal feature. The default configuration creates keys with a subkey (not for signing though). Nobody except you should be able to realize whether your master key is stored online or offline. > Would it be necessary to link to my key policy in my mail No but it makes sense (independently of this question) to link it in your self-signature. See the option --set-policy-url though in the default configuration this URL is not shown (just hinted by a "P"). > or would it be seamless that my sub > signing key is valid because it is signed by the master. Yes, that's the concept of OpenPGP. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
