On Thu, Sep 12, 2013 at 12:16 AM, Hauke Laging <mailinglis...@hauke-laging.de> wrote: > Am Mi 11.09.2013, 23:42:30 schrieb Philip Jägenstedt: >> My public key has the default capabilities sign and certify. I've seen >> that some people have only the certify capability in order to be able to >> keep the main key offline most of the time. > > It's of limited use to make a former online mainkey an offline mainkey. You > should create a completely new key (on a secure system).
Certainly, I can't take the master key offline and then pretend it has never seen a computer with a network connection. I could have used other terminology, what I'm actually considering is how to remove the private master key from my laptop, so that if it's lost/stolen I only need to revoke the subkeys. >> Is it technically possible to change the capabilities of an existing >> key, even if there's no way to do it via --edit-key? > > May be possible (it surely would be with patching GnuPG) but is not necessary. > It makes perfect sense to have signing (and even encryption) capability on an > offline mainkey. > >> If it's not possible, what would be the consequence of adding a subkey >> with the sign capability, which key would be used when both are >> available? > > If there is a subkey then it is used always. I do not know though whether this > is a direct effect (defined that way) or an indirect one: The creation date > (and the selfsig date) of a subkey should always be after the creation date of > the mainkey. On Thu, Sep 12, 2013 at 12:07 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > > i believe GnuPG uses the most-recently-updated subkey that it believes > to have signing capability, unless you force the subkey in question via > --local-user or --default-key with a ! suffix (see the "By key Id." > section in gpg(1)). You're both right, I've tested simply adding a subkey with the sign capability, and that's the one that gpg used, even with the master key available. In other words, it's perfectly possible to do what I wanted without modifying the existing keys. -- Philip Jägenstedt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
