Robin H. Johnson wrote: > Additionally, if the developer uses the singular primary key for a lot of > stuff, it is more vulnerable to attack. > > <opinion> > Instead, the developer should create a subkey that is used for signing Gentoo > work only. They should not sign anything else with this, including their > Gentoo > email. > > They may have an additional subkey for signing their Gentoo email if they > wish. > </opinion>
I don't know much about cryptography, but could you please elaborate on why is using one subkey for all the stuff considered a Bad Thing? > UID signatures: > --------------- > As I wrote last year, these may take several forms. > We are concerned with several properties that they may have: > > Expiry dates of signatures: > Unlike expiry dates of cryptokeys, these may not be changed - by default, they > take on the expiry date of the certifying cryptokey, although a lower value > may be > set. If you have an existing signature that has expired, you need to get your > uid signed again. Off-topic question - I've already met Alice, verified her identity, signed her keys and now she wants me to sign her new subkey with same name, e-mail etc because the old one has expired. Alice lives in Canada so I can't meet her easily. Should I sign it again with the same level of "trust"? Another situation - Bob, Alice's boyfriend, lives in Canada. I've met him before, verified his identity and signed his subkey for [EMAIL PROTECTED] Now he wants my signature for [EMAIL PROTECTED] Should I sign it? Cheers, -jkt -- cd /local/pub && more beer > /dev/mouth
signature.asc
Description: OpenPGP digital signature