Hi Martin-- On 03/13/2014 06:44 AM, Martin Behrendt wrote: > I want to achieve the following: > 1. A Master signing key > 2. A subkey signing/enc pair for my normal machine > 3. A subkey signing/enc pair for e.g. my mobile device
> Now the following problem arises (at least from the reading I have
> done). As I understand gpg only uses one of the encryption subkeys to
> encrypt the message. So the question is, is it possible to encrypt to
> all encryption subkeys in a key? And if yes, is there an easy way to
> do it, so also not just me can handle that, but also the people who
> sent me encrypted mails. (And if not, does it make sense to implement
> something like this in gnupg?)
ultimately, the problem here is that the people who correspond with you
don't know what device you're going to be reading the encrypted message
on, so they cannot choose which encryption-capable subkey to encrypt to.
In practice, it doesn't make sense to have more than one
encryption-capable subkey active at a time; for signing-capable subkeys,
you can have one per device as you describe.
So here is what i consider to be best practice for those people who end
up using more than one machine:
0) a master certifying key (possibly offline)
1) an encryption-capable subkey (shared across all machines)
2) one signing-capable subkey per device (never shared)
in the event of machine compromise, use the master certifying key to
revoke the encryption-capable subkey and the signing subkey specific to
the compromised machine; add a new encryption-capable subkey and
distribute it to your remaining non-compromised devices. Publish all
these changes to the public keyservers (as well as any other channels by
which you've normally published your keys).
You can also choose some schedule to regularly revoke (or expire) any of
the subkeys and replace them with new ones as a matter of routine
maintenance if you're concerned about key leakage through overuse, or
you just prefer to pre-emptively rotate keys.
hth,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
