Thank you Robert and Peter. It appears that information I had read previously was erroneous. I was under the impression the capabilities (at least for the primary key) were set in stone, hence my apprehension at avoiding those insatiable knobs and gears I like to tinker with. ;)
This thread has been tremendously insightful. My thanks to all who responded and shared their perspectives. James On Mon, Nov 23, 2015 at 12:05 PM, Robert J. Hansen <r...@sixdemonbag.org> wrote: >> The same can be said for almost any complex system, software or not. > > Absolutely. Please don't misinterpret what I said as trying to dissuade > you from curiosity. I'm just urging you to not let your curiosity lead > you into making poor decisions from the get-go. > > The following anecdote is meandering, but if you'll bear with me for two > paragraphs it'll make sense: > > I live in the United States, in a state which allows private citizens, > under incredibly close regulation, to own military firearms. When I > visit the rifle range, sometimes I'll spend some time with a suppressed > German-made MP5SD3 submachinegun. (It's not mine: a friend owns one and > we sometimes hit the range together.) It's a nice piece of kit; I like > it. And quite often, other people who are at the range want to talk > shop about it. We get into discussions about roller-locked firearms > like the Cz52 and MG42 versus roller-delayed firearms like the MP5, how > annoying it is when people get the terminology wrong, whether it's a > good thing or a bad thing the MP5 uses a fluted chamber, how anyone who > thinks it's okay to fire subsonic 9mm from the MP5 needs their head > examined, and so on and so on. And it's fun, as far as it goes, and > it's often educational for the people who've never seen an MP5 before > and are fascinated to learn more about its inner workings. > > It's great -- up until they think they know enough to use an MP5 on the > range, despite the fact they've never fired a weapon before. At that > point we have to explain to them that look, yes, they know a lot more > about the MP5 than most people do, but really, they need to start off > with something small, like a nice .22 Ruger Mk II, develop the basic > skills, learn trigger discipline and proper usage of safeties, learn how > the range operates and what the various calls by the Range Safety > Officers mean, etcetera. There's a huge amount to learn: they don't > need to make things worse by leaping straight over this stuff straight > to firing fully-automatic military hardware. That's just imprudent, and > we'd be awful human beings if we permitted them to do that. > > That's what we're talking about here. The knobs and dials on GnuPG are > great fun to learn about: you're in good company! But there's a big > reason why we're urging you to not do what you want to do, and that's > because you're not yet competent to do what you want to do. We'd rather > see you start off with small steps, and from there move on to the big > ones, than have you start off big. > > Admittedly, it's highly unlikely that screwing up with GnuPG will lead > to a magazine of 9mm being sprayed around the room. But it's the > principle of the thing. :) > > So: for now, please stick with the defaults. > >> It seems to me that, perhaps, making these sorts of decisions up front >> is of some value. > > Not really. It's probably not worth worrying about. > >> If you create a primary key, upload it to a public >> keyserver and later decide: "hrm, my public key should really only >> certify, not sign," it's a bit too late. > > No. > > One of the important skills to learn early on is about how to migrate a > certificate. You're going to make mistakes. You'll forget passphrases, > you'll compromise your keys, you'll realize you made a hash of it and > need to start over again. How do you recover from this? How do you > communicate a change-of-certificate with your correspondents? Etc. > > The only reason to think "it's a bit too late" is if > > a) you're not allowed to change your certificate -- you > *must* keep the same one for the next X years > b) you don't know how to migrate to a new certificate > > There are almost certainly people and groups for whom (a) applies. If > you're one of them, please let me know. But if (b) applies, then I > suggest learning the skill, because it's important. :) > >> It's also worth noting that the suggestion to remove the primary key >> from your laptop isn't thrown up on a few random blogs; instead it is >> something that other projects[1] encourage. > > That wiki page is guidance *for Debian*. Debian has some very specific > operating restrictions which are unlikely to apply to you. The > guidelines Debian put together apply to them, in their environment, > facing their threat model, which they defend with their particular set > of resources. > > It is not guidance for you, unless you're part of Debian. > > By all means, study it! It's a well-written policy. Learn what goes > into their policy and why they make the decisions they do. But don't > think that what they recommend will automatically apply to you. Some of > it will be applicable; a lot of it won't be. > >> If one's primary key is his or her identity, I'd like to be certain >> that I correctly create the key(s). > > Yes. And, as several people here have told you, you correctly create it > by running "gpg --gen-key" and accepting the defaults. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users