Re: wanted: educate us please on key dongles
On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote:
> * If you don't want to buy hardware, use an offline master key. Create
> a certification only master key using something like PGP Clean Room
> on a non-networked host, and store that on a USB key you only ever put
> into your machine when running your clean, non-networked,
> environment. Create at least 2 subkeys - signing + encryption - and
> use those in your day to day work. You then only need the master key
> when dealing with signing other keys, or updating your subkeys. In
> the event of your subkeys being compromised or lost or whatever you
> can just regenerate; because your master key is offline it should
> remain secure meaning you don't have to go through the pain of
> getting cross signatures again.
- Which key goes on the paper slab that everybody uses to collect
signatures? The certification only master key?
- For which (set of) keys should I have revocation certificates on file?
- What key goes into the Debian keyring? A signing (only?) subkey of the
certification master key? Is it recommended to have this key
"available", for example in a Gnuk on my keychain next to the key to
my home?
- Which (set of) keys goes to the key servers?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Reply to: