Re: The best practice of master/sub key capabilities

2015-08-30 Thread Peter Lebbing
On 22/08/15 17:25, Dongsheng Song wrote: > Now I want to create my new key like this: > > sec rsa4096/93D374EB 2015-08-22 [C] > uid [ultimate] example > ssb rsa2048/466D08E1 2015-08-22 [S] > ssb rsa2048/AD92E667 2015-08-22 [E] > ssb rsa2048/07DEFA25 2015-08-22 [A] > ssb ed25519/

Re: The best practice of master/sub key capabilities

2015-08-22 Thread Dongsheng Song
On Fri, Aug 21, 2015 at 6:49 PM, Peter Lebbing wrote: > On 21/08/15 11:31, Dongsheng Song wrote: >> But I still did't know why the master key have sign and certify >> capabilities in the default ? > > I suppose because it doesn't hurt. They're both signatures in essence; > cryptographically they a

Re: The best practice of master/sub key capabilities

2015-08-21 Thread Simon Josefsson
Dongsheng Song writes: > Hi all, > > When I create new master/sub key, in the following 2 choice, I'm > wondering which is better? > > 1) master key have SCEA capabilities > > sec rsa4096/A19676A1 > created: 2015-08-20 expires: never usage: SCEA > trust: ultimate validity:

Re: The best practice of master/sub key capabilities

2015-08-21 Thread Peter Lebbing
On 21/08/15 11:31, Dongsheng Song wrote: > But I still did't know why the master key have sign and certify > capabilities in the default ? I suppose because it doesn't hurt. They're both signatures in essence; cryptographically they are the same and exchangable. The difference only lies in the int

Re: The best practice of master/sub key capabilities

2015-08-21 Thread Dongsheng Song
Thanks, now I see why I should use a exclusively subkey for authenticate capability. But I still did't know why the master key have sign and certify capabilities in the default ? I think the sign capability should move to a exclusively subkey. ___ Gnupg

Re: The best practice of master/sub key capabilities

2015-08-21 Thread Peter Lebbing
On 20/08/15 17:01, Peter Lebbing wrote: > Most importantly, it's generally advised not to do encryption and > signing with the same key material. This is just a general recommendation, and abusing the fact a key is used for both encryption and signatures is an intricate matter. But since OpenPGP

Re: The best practice of master/sub key capabilities

2015-08-20 Thread Peter Lebbing
> When I create new master/sub key, in the following 2 choice, I'm > wondering which is better? I'd recommend the defaults as best practice. They're there for a reason. Why are you restricting yourself to "the following 2 choices"? They both seem ill-advised (and unusual as well). Most importantly

The best practice of master/sub key capabilities

2015-08-20 Thread Dongsheng Song
Hi all, When I create new master/sub key, in the following 2 choice, I'm wondering which is better? 1) master key have SCEA capabilities sec rsa4096/A19676A1 created: 2015-08-20 expires: never usage: SCEA trust: ultimate validity: ultimate ssb rsa4096/27ADD750 create