> On 30 Jul 2017, at 21:19, Dirk-Willem van Gulik <di...@webweaving.org> wrote: > > I see a growing number of keys that have well managed & expired separate > subkeys for Signing, Encryption and Authentication switch from ‘SC’ on the > master key to just ‘C’ (all RSA, ignoring DSA). > > Would anyone know if there is some documented best practice ?
I don't think it particularly matters if you have both an S primary and an S subkey. I can't think of any use case where it would be a problem (although I'm sure now I've said it someone will correct me). What I have found problematic myself is having an A primary and an A subkey. This is because my primary is offline and I use smartcards for my subkeys, and there exist some applications which only accept one auth key. There have been times when I have mixed up my online and offline A pubkeys, which is not a security issue, but is a usability one. So I personally would not recommend having more than one valid A (sub)key at any one time - purely for your own sanity. A _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
