On 27/11/15 12:41, Andrew Gallagher wrote: > There's a post about how to do this in the list archives: > > https://lists.gnupg.org/pipermail/gnupg-users/2009-May/036505.html
Thanks for the pointer! > ... but it's really not worth your while. So long as your primary key > doesn't have E usage set*, you can create new A and S subkeys and simply > refrain from using the primary key for those functions. I agree for the most part. I'm not so sure about how easy it is to refrain from using an A-capability. I think when an SSH server indicates it accepts a signature from my primary key, and that primary key is on a smartcard, GnuPG will try to do that. So that is in the hands of the server, not the client. Although you might be able to disable it with an sshcontrol file, I'm not sure of the exact way it all interacts. > The only problem you might run into is if one of your correspondents is > using broken client software that doesn't check signatures against > multiple subkeys. I've no idea how likely this is though. Kill that client software until dead. Then some more. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
