[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

On Fri, 11 Aug 2017, Jonathan McDowell wrote:
> On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote:
> > On Fri, Aug 11 2017, Jonathan McDowell wrote:
> > >  * If you don't want to buy hardware, use an offline master
> > >  key. Create
> > >    a certification only master key using something like PGP Clean Room
> > >    on a non-networked host [...]
> > 
> > By default, GnuPG creates a signing+certification master key.  Could you
> > explain why it's a good idea to override that?  I'm not sure what it
> > achieves.
> I see no reason why the master key should ever be used for signatures in
> such a scenario, so it seems sensible to indicate that it is purely for
> certification.

Well, it can be useful.  A SC master key (Sign and Certify) can be used
to sign messages explaining to someone else the need for a new subkey
when you had to revoke every subkey, when just adding the subkey itself
is not enough, or when adding subkeys is subject to a delay.

Suppose you forget to renew/upload a new subkey in your Debian key set,
and the current subkeys expire: it takes time for a new subkey upload to
clear keyring maint.  During that time, an SC master key can be used in
an emergency to sign a vote or an upload.

  Henrique Holschuh

Reply to: