On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> On FC4 with gpg 1.4.1: > > Please upgrade. There have been a couple of security updates since > 1.4.1. > >> It says the key cannot be used for encryption, and a >> subkey must be generated. Why? > > Why must an encryption subkey be generated? Because you don't have > one. If you mean "why doesn't GnuPG create an encryption subkey at > the same time it creates a signing subkey, the way it does for DSS/ > ElGamal keypairs", for that one you'd have to ask the developers. > It's never made a lick of sense to me, myself. > >> If so, why was (sign and encrypt) not offered as an option? > > Having one key that can be used for both signing and encryption > operations is thought by some to be bad crypto policy. The problems > with it appear to be mostly theoretical, though. > >> I did this a year or two ago, and I do not remember >> needing a subkey. I still have that keyring in >> under another user. > > If your other key was DSS/ElGamal, that's because GnuPG created the > additional subkey for you at the same time as your signing subkey. :) > > [...]
Now I created a key using "DSA and Elgamal (default)". As you suggest, it created a subkey for me, as can be seen in gpg --list-keys. If I run gpg --list-keys on my old keyring, I see no subkeys in the old keys (Apr 2006), but there is a subkey in the public key imported from the new user account. Has there been a change? Are my old keys obsolete? I don't remember if I upgraded gpg in the interim (present version 1.4.1), but I will upgrade, as you suggest. Thanks, Mike. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
