At Sun, 2 Apr 2017 11:20:16 -0700, Doug Barton wrote: > On 04/01/2017 07:10 AM, Will Senn wrote: > > 3. I've read > > https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems > > and other such pieces proclaiming the value of having the master key in > > a safe place and having subkeys on your actual devices. > > What do you think a master key is, and why do you think it's important > to protect it? What kind of devices do you want to put signing subkeys > on? Why do you think that your use of PGP will be more secure if you > have a signing subkey on a device, instead of your "main key?"
Your main key is a unique global identifier. It is what you write on your business card and what you compare to validate a key. If it is compromised, then you need to revoke your main key and generate a new one. This means you have to throw away your old business cards and inform all of your contacts that you have a new key. If a subkey is compromised, then you only need to rotate the subkey, not the whole key. In other words, you don't have to throw away your business cards or inform your contacts that something has changed: their OpenPGP implementation will automatically learn about the changes the next time your key is refreshed. In short, the main key acts as a level of indirection, which separates your identity from your encryption/signing keys. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
