Hi all, this is my first post to GnuPG-users, please be gentle :-)
My OpenPGP setup currently includes an offline master key (see attached public key) with three subkeys on a Yubikey USB "smartcard". Amongst them is a signing subkey with "usage: S" flag, but only the master key has the Certify capability (usage: SC). Now I want to import someone else's key to verify a signature. In order to verify that signature, I need to at least locally sign the owner's key, AFAIK. However, I would need my offline master key (read: really inconvenient) to issue a signature. What is the recommended practice if I only want to verify message integrity, but don't have the master key with Certify ability available? One solution that comes to mind would be to add a new certification subkey that I keep on my machine instead of the smartcard, and only use it for local signatures. Would that make sense or what complications should I expect? Building a Web of Trust with an offline master key seems rather difficult, even just to verify incoming emails. Maybe the upcoming TOFU trust model would help my usage pattern? Thanks for any pointers or explanation. Kind regards, André -- Greetings... From: André Colomb <an...@colomb.de>
0x9F45D0FB.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
