[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wanted: educate us please on key dongles

On Tue, 29 Aug 2017, Marc Haber wrote:
> - Which key goes on the paper slab that everybody uses to collect
>   signatures? The certification only master key?

The main key fingerprint.  Which happens to be the certification master
key in gnupg, yes.

> - For which (set of) keys should I have revocation certificates on file?

You need to have a revocation certificate for the master key.  When you
revoke it, you revoke every subkey as well.  Also, as long as you keep
control of the master key, you can revoke any subkey.

It goes without saying that losing control of your revocation
certificate can open you to a DoS attack, so please keep it protected
somehow, but NOT in a way you might find yourself unable to use it.

> - What key goes into the Debian keyring? A signing (only?) subkey of the
>   certification master key? Is it recommended to have this key
>   "available", for example in a Gnuk on my keychain next to the key to
>   my home?

The **public** portion of *every* key (master and all subkeys) go into
the public keyrings and also in the Debian keyring.  gnupg will handle
this automatically if you use "--export" (do *NOT* confuse with a
different export option that is for private keys).

In the "normal use" smartcard, you store the *private* portion of the
*subkeys* you need.

In a offline digital vault of some sort (encrypted removable storage, or
secure smartcard, etc), you need to keep everything including the
private portion of the master (main) key.

In .gnupg you might have to store a "crippled" version of the main key,
which has its private data zeroed, for it to work.  This is where people
screw up and lose the key, or fail to protect it, so it should be a
topic of its own.

> - Which (set of) keys goes to the key servers?

Only the public keys (all of them: master and subkeys).  gnupg will
handle this automatically if you use --send-key.

  Henrique Holschuh

Reply to: