"Paul R. Ramer" <free10...@gmail.com> writes: > On July 9, 2014 11:40:06 AM PDT, MFPA > <2014-667rhzu3dc-lists-gro...@riseup.net> wrote: >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA512 >> >>Hi >> >> >>On Wednesday 9 July 2014 at 5:54:36 PM, in >><mid:3222188.kZ1ztGDBqg@inno>, Hauke Laging wrote: >> >> >>> Am Di 08.07.2014, 14:41:36 schrieb J. David Boyd: >>>> which means that any of them can make changes to your >>>> keys. >> >>> And that is wrong. >> >>Please can you elaborate on how it is incorrect to say that somebody >>who knows the passphrase to a secret key can make changes to that key. >>Would this maybe be the case when using an encryption subkey with an >>offline main key? > > If you make encryption and signing subkeys you can export them > (i.e. the secret subkeys), create a new gnupg home directory, import > the subkeys, change the password on them, and finally, export and > distribute them to the people who are supposed to use them. > > By doing this you can have a person who manages the master key > separately under another password and the authorized users can use the > encryption and signing secret subkeys without being able to make > changes to them. > > The person who manages the master key can add new UIDs for the any new > user and give that person a copy of the secret subkeys with the > password. The only problem that I see right away is revoking control > when one of the users leaves. One way that you could remedy this is > to revoke the old subkeys and issue new ones. > > I am not recommending this method but it is a way that it can be done. > > Anyway... > > Cheers, > > -Paul > > -- > PGP: 3DB6D884
Wow, that would be a lot of work. Actually, I didn't even know you could do that. GPG is versatile, to say the least. Dave PGP: 96569433 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
