On Sat, Jan 14, 2006 at 12:30:25PM -0700, Anne & Lynn Wheeler wrote: > Guus Sliepen wrote: > > By default, GPG creates a signing key and an encryption key. The signing > > key is used both for signing other keys (including self-signing your own > > keys), and for signing documents (like emails). However, it is possible > > to "split" the signing key into a master key that you only use to sign > > other keys, and a key dedicated to signing documents. You can revoke the > > latter key and create a new one whenever you want, the master key is > > still valid. Also, when people sign your key, they sign your master key, > > not the subkeys. The signatures you accumulated will also still be > > valid. You can also keep the master key safely tucked away on an old > > laptop that you keep in a safe, and only export the subkeys to your > > workstation. That way the master key is very safe.
> as in previous post ... i assert that fundamental digital signature > verification is an authentication operation > http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing keys > > and doesn't (by itself) carry with it characteristics of human > signature, read, understood, approves, agrees, and/or authorizes. It depends on how it is used. For example, when I sent this email, I typed in the passphrase of my PGP key, authorising GnuPG to create a signature for this email. This comes very close to "human signing". I read, understood, approve etc. with the contents of this email. If assymetric cryptography is used to automatically sign a credit card transaction without the user having to do more than click a button, then I agree that in that situation, the digital signature is not the same as a human signature. [...] > it is when you start equating private keys with certification and truth > characteristics that you move into a completely different risk and > threat domain. I don't equate private keys with that. I do equate signatures made with those keys with that. > the other foray into embellishing private keys and digital signatures > with human signature type characteristics was the non-repudiation > activity. however, it is now commoningly accepted that to embellish > digital signatures with non-repudiation attributes requires a whole lot > of additional business processes ... not the simple operation of > generating an authentication digital signature. [...] > the corollary is that digitally signed certificates and > private keys embellished with certification and truth characteristics > become less and less meaningful. That is probably true, but in the mean time Travis still wants to know how to create a PGP key with the properties he wishes for. -- Met vriendelijke groet / with kind regards, Guus Sliepen <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature