-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Sunday 16 December 2012 at 5:03:42 AM, in <mid:7064600.aJxIxBHWNB@inno>, Hauke Laging wrote: > With a compromised mainkey it > shouldn't be a problem to create a certificate with a > modified capability set anyway. Yes, I didn't think that through properly. MFPA: >> There is no real limitation here. If a need arose for >> "higher security" signing or encryption keys, new >> subkeys with those capabilities could be created and >> circulated, and the secret subkeys stored offline just >> like the main key. > That's right but makes the whole thing even more > complicated – without explaining what the advantage > should be. I disagree. What you see as added complication, I see as simplification. Most keys having a single use but one having several uses is more complicated to me than each key having a single use. > And complicated is bad as understanding is > critical to the practical value of crypto. Agreed. > Once unlocked the > OpenPGP card does as many decryptions as you want. I do > not see any reason for that. Convenience. (Which is often the opposite of security.) > I would not call such > a "depricated" name "invalid". The person can still be > identified by the old name. They can, and some people routinely are (such as solicitors who use their former name for work and their current name for non-work matters). But hanging on to the old identity whilst also taking up the new one sends mixed messages and seems like a contradiction. > In that case it makes sense IMHO only if the > certification procedure (for the "real" key) is > somewhat complicated because the key owner follows a > good certification policy. It means a lapse in competence, such as accidentally exporting your local signatures, does not compromise your good certification policy. - -- Best regards MFPA mailto:expires2...@rocketmail.com Wait. You think I'm right? -----BEGIN PGP SIGNATURE----- iQCVAwUBUM+s2qipC46tDG5pAQrrFAQAsm4aNNztmgSyd/LtszsJ6tnkCoR20rDQ w+XqivqaMQtJLBFqAwDIQItoxEAnCpBGoTb6fYo9hQ/sv3WZ25mqwMXd0WifW0G6 IpFkiT0GhO93aKlIXs12OMTrmQiJ7LfQZWVR5trVao7z7RVQanTcaLmnz7bMzG/e j14QU8Ixwlw= =wsyt -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
