On Fri, 11 Aug 2017, Jonathan McDowell wrote: > On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote: > > On Fri, Aug 11 2017, Jonathan McDowell wrote: > > > * If you don't want to buy hardware, use an offline master > > > key. Create > > > a certification only master key using something like PGP Clean Room > > > on a non-networked host [...] > > > > By default, GnuPG creates a signing+certification master key. Could you > > explain why it's a good idea to override that? I'm not sure what it > > achieves. > > I see no reason why the master key should ever be used for signatures in > such a scenario, so it seems sensible to indicate that it is purely for > certification.
Well, it can be useful. A SC master key (Sign and Certify) can be used to sign messages explaining to someone else the need for a new subkey when you had to revoke every subkey, when just adding the subkey itself is not enough, or when adding subkeys is subject to a delay. Suppose you forget to renew/upload a new subkey in your Debian key set, and the current subkeys expire: it takes time for a new subkey upload to clear keyring maint. During that time, an SC master key can be used in an emergency to sign a vote or an upload. -- Henrique Holschuh