Hello, I have a certify-only master keypair in an air-gapped machine. I only use that machine to create subkeys and sign other people keys. The subkeys are copied onto smartcards which I use in daily life.
Assuming that smartcards aren't indestructible and can be lost I always have a backup smartcard handy. Because you can't really share a subkey with multiple smartcards [1], I took the approach of generating subkeys for each smartcard. This means that I have multiple sign/enc/auth subkeys that are used in lockstep, but I have a single $GNUPGHOME and it is really easy for me to use any of my smartcards: data that I care about is encrypted for all the smartcards and all the smartcards are authorized for ssh logins. On the other hand, having multiple sign subkeys doesn't really make sense to publish data (e.g: software releases). Moreover my ring of enc subkeys is not useable for people who are trying to communicate with me: it's not really reasonable to ask people to encrypt data for all my subkeys, and GPG is designed to use the most recent key for the requested (sign/enc/auth) usage anyway. To alleviate that problem I was wondering if it was possible to create another sign/enc subkey and publish (to keyservers) that subkey only? (along with my master public key of course). In other words I would have two views of the same keyring: one with all my subkeys for my own use with my smartcards, and one for use by other people with only my master key and my sign/enc subkey so that there is no ambiguity on the subkey to use when communicating with me or verifying my signatures. I hope this intelligible and I am curious about how other people approached that problem. Thank you & have a nice week-end, [1] https://dev.gnupg.org/T2291 -- Louis Oper _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
