On 4/24/19 4:19 PM, Rich Freeman wrote: > If it is the case that Nitrokeys can't support a separate primary key, > I'd suggest modifying the GLEP to remove that requirement when a > smartcard is in use. Its main purpose is to keep a key component > offline, and if the key is generated on the card that is already > accomplished. Maybe somebody has a suggestion for how to make the two > work together, otherwise I'll go ahead and suggest a GLEP revision for > the next Council meeting.
The nitrokey has 3 slots, one signing (which can hold signing subkey or primary), encryption and authentication. So yes, the primary should be kept on an offline system or on a separate token that isn't brought around on regular basis, while the daily use operations use subkeys that reside on the token. The GLEP should not be changed on the requirement for distinct signing subkey, this is one of the expected results of it to begin with. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
