On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote: > On Tue, 29 Aug 2017, Marc Haber wrote: > > - Which key goes on the paper slab that everybody uses to collect > > signatures? The certification only master key? > > The main key fingerprint. Which happens to be the certification master > key in gnupg, yes.
Understood. > > - For which (set of) keys should I have revocation certificates on file? > > You need to have a revocation certificate for the master key. When you > revoke it, you revoke every subkey as well. Also, as long as you keep > control of the master key, you can revoke any subkey. Understood. I didn't find that information in all clearness anywhere. > It goes without saying that losing control of your revocation > certificate can open you to a DoS attack, so please keep it protected > somehow, but NOT in a way you might find yourself unable to use it. Of course. > > - What key goes into the Debian keyring? A signing (only?) subkey of the > > certification master key? Is it recommended to have this key > > "available", for example in a Gnuk on my keychain next to the key to > > my home? > > The **public** portion of *every* key (master and all subkeys) go into > the public keyrings and also in the Debian keyring. gnupg will handle > this automatically if you use "--export" (do *NOT* confuse with a > different export option that is for private keys). So it is probably a bad idea / impossible (?) to have a dedicated signing-only key used for Debian that guared more closely than the "regular every-day" key? > In the "normal use" smartcard, you store the *private* portion of the > *subkeys* you need. > > In a offline digital vault of some sort (encrypted removable storage, or > secure smartcard, etc), you need to keep everything including the > private portion of the master (main) key. After pondering about that for a while, it might be not wise to have the master certification key generated on a "the key never leaves the card" smart card since that doesn't allow you to have backups. So one needs to have the certificatio master key somewhere on a medium from where you can read it, to be able to write it to a new smart card. People keep mentioning to store the private key on a LUKS-encrypted device. Why? Is the private key encryption that happens inside GnuPG itself when you protect your private key with a passphrase not sufficient? > In .gnupg you might have to store a "crippled" version of the main key, > which has its private data zeroed, for it to work. This is where people > screw up and lose the key, or fail to protect it, so it should be a > topic of its own. That is the "stub" in GnuPG-Ling, right? > > - Which (set of) keys goes to the key servers? > > Only the public keys (all of them: master and subkeys). gnupg will > handle this automatically if you use --send-key. And I hope that it's really hard to fuck up here and to send private keys to the keyserver. I have had people send me the private parts of their ssh keys... Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421