On 4/2/17 2:00 PM, Neal H. Walfield wrote: > At Sun, 2 Apr 2017 11:20:16 -0700, > Doug Barton wrote: >> On 04/01/2017 07:10 AM, Will Senn wrote: >>> 3. I've read >>> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems >>> and other such pieces proclaiming the value of having the master key in >>> a safe place and having subkeys on your actual devices. >> What do you think a master key is, and why do you think it's important >> to protect it? What kind of devices do you want to put signing subkeys >> on? Why do you think that your use of PGP will be more secure if you >> have a signing subkey on a device, instead of your "main key?" > Your main key is a unique global identifier. It is what you write on > your business card and what you compare to validate a key. If it is > compromised, then you need to revoke your main key and generate a new > one. This means you have to throw away your old business cards and > inform all of your contacts that you have a new key. If a subkey is > compromised, then you only need to rotate the subkey, not the whole > key. In other words, you don't have to throw away your business cards > or inform your contacts that something has changed: their OpenPGP > implementation will automatically learn about the changes the next > time your key is refreshed. > > In short, the main key acts as a level of indirection, which separates > your identity from your encryption/signing keys. Sounds like what I was led to believe to be the case, but at the end of the day, I don't seem to be able to sign anything with the signing subkey if the master key is not present (with sec instead of sec#). Do you know how I get it to use the subkey (the manual says it will default to a signing subkey, but that's not my experience).
Thanks, Will
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
