On 2017-08-17 23:25 -0400 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: >I still don't think this is a good justification, fwiw. If you think >you'll be making these certifications for other people to consume, >please do those other people a favor and just use your primary key. >The OpenPGP world has a habit of trying to make things too fancy. Keep >it simple!
I really do not follow your argument (if any). Whether I sign with my primary key or a subkey is a low level detail. There is no any additional difficulty encountered by the user who verifies a certificate made by a subkey, assuming he is using a capable OpenPGP implementation. This is a low level detail that is for the most abstracted from the user by the implementation (GNU PG), just as users need not know number theory in order to use public key algorithms, they need not be concerned of whether I use my primary key or a subkey for certifying. >> Also, using a subkey for signing still has a size advantage. If you >> have, say, 5 keys signed by my ECC subkey. there will be less size > >Where are you trying to save these bytes? In my own and other people's keyrings and in key servers. >I don't know of a way to change usage flags on an existing subkey with >GnuPG without modifying the source. > >You can add a new subkey with your chosen usage flags in --expert mode, >though. But i don't recommend it. Like I said in a previous message, even using “gpg --expert --edit-key” (GNU PG version 2.1.18 as shipped in Debian 9), I do not get the option to toggle the certify capability when adding a new subkey, not even if I choose the option “choose your own capabilities”. Hmm... it looks like I will have to do some programming. This is not good. GNU PG should already have this feature. Regards.
pgp_X7CTrVKt8.pgp
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
