Re: [Feature Request] Multiple level subkey
ok, just to clarify; my original question boils down to be able to generate Sign key using a subkey. I guess there should be an arbitrary hard limit on the number of sub-subkey, Aside from this, the validation algorithm should be made recursive, up to the hard limit. Would be possible to use the GnuPG code to create a fork, and add this kind of behaviur? 2017-09-09 0:50 GMT+02:00 lesto fante : > Hello, > > Maybe this is not the right place to discuss about this, please be > kind with a noob. > > My user case is simple; maintain my identity even if my master key is > compromised. Tho achieve that, I think about a multilevel subkey > system. > Please i would love to hear any alternative. > For the discussion purpose, we don't talk about HOW revoke and public > key are exchanged between peers; it could be with existing key server, > or other way. > > I would like to set up a system relatively secure, but with no hassle > for everyday use. > > The idea is the following: > A level 1 key, kept very safe (hw or paper wallet wallet). This key > represent the identity is hopefully used only once to generate one > subkey "level 2". > > The subkey level 2 is saved on one (or more, but trusted) main device. > This key will be used to generate its own subkey (level 3), those > subkey are used for various application and distributed between device > using relatively unsafe method; losing, revoking or issuing a new key > for a new application should be easy and transparent for the user. > > the idea is that the level 2 key is used for most of the normal > operation, even in case one or more level 3 key are compromised; > please remember that all they key just represent the identity of the > level 1 key. > > This is very similar to the chain of trust with certificate. > > Now the nice thing: i guess most of the people will use their phone to > keep the level 2 key, but we know those are not the most secure stuff, > especially when get old or wit some producer allergic to patch. > > In the unlucky case the level 2 key get compromised, the user can use > the level 1 key to: > 1. revoke the level 2 key. This of course will automatically revoke > the level 3 key that are direct subkey of that level 2 key. > > 2. issue a new level 2 key. At this point the main device will issue > new level 3 key to replace all the key revoked in the step above. > > please note a user could have multiple level 2 key active; this could > be for different reason, like updating to different algorithm still > not fully supported. > > Lesto > > ps. is anyone aware of some kind P2P system to share keys? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help: Copied gnupg folder not recognised
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/17/17 02:32, David Seaward wrote: > Hi, > > I copied ~/.gnupg from my old machine, because I want to copy all > keys, trust data etc. [1] > > However, on my new machine, nothing seems to be recognising the > GnuPG files: > > * "gnupg --list-keys" is empty ("gnupg --help" confirms that > ~/.gnupg is the folder being used) > > * The "GnuPG keys" pane of "GNOME Password and Keys" is empty > > * Email client is not able to encrypt/decrypt messages > > How can I diagnose what the problem is? Failing that, how can I > export/import an entire .gnupg folder (including trust data)? > > Regards, David > > [1] https://www.phildev.net/pgp/gpg_moving_keys.html I'm just pointing out some messages that helped me... Robert J. Hansen, Jan 15, 2017; 5:40pm http://gnupg.10057.n7.nabble.com/Sherpa-0-3-0-td50700.html Peter Lebbing, Jul 14, 2017; 2:56pm http://gnupg.10057.n7.nabble.com/A-Quick-Question-td52732.html#a52736 Werner Koch, Dec 09, 2016; 2:10pm http://gnupg.10057.n7.nabble.com/How-restore-backuped-gnupg-private-keys - -v1-d-td50286.html#a50290 Robert J. Hansen, Nov 17, 2016; 3:03pm http://gnupg.10057.n7.nabble.com/Fresh-OS-installation-td49869.html#a498 70 Werner Koch, Sep 19, 2016; 1:49am http://gnupg.10057.n7.nabble.com/What-is-a-reliable-way-to-backup-restor e-my-keys-and-test-td48847.html#a48906 Daniel Kahn Gillmor, Sep 14, 2016; 4:05pm http://gnupg.10057.n7.nabble.com/What-is-a-reliable-way-to-backup-restor e-my-keys-and-test-tp48847p48854.html hope this helps, Daniel - -- Daniel Villarreal http://www.youcanlinux.org youcanlinux at gmail.com PGP key 2F6E 0DC3 85E2 5EC0 DA03 3F5B F251 8938 A83E 7B49 https://pgp.mit.edu/pks/lookup?op=get&search=0xF2518938A83E7B49 -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZvlcaAAoJEPJRiTioPntJ+NkH/05xRLuG79plxQNiAuZAjbcu EEdXWJa+Ow4lnVJLTtidOr49/x2QepkpqCdk3CucM2Awit9ZVneNdURdJAlUsAYT PMqYBdtJamIBTyNftLLzeiFdXzbkQRFCA57CLUBG8UHZd2lfX9WNmqBc3jZ8Nb93 dMf93HYrzYbCPP2+Ilmyel4THB7E9580rhLcBweI20Okg9XT6hwszwmqsa6fadT1 fVUJaiRrQkuloM7De2vVJN5QnhUTiQMvmVLTW3++acSodisSjM8mD0u2FbHv1IBc qWUUiiDD9w1p7ol7t3NtcakTZchqV1sA7XOxG+CJe9KUOl78U6ufg/o/28nz7sw= =noVu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Help: Copied gnupg folder not recognised
Hi, I copied ~/.gnupg from my old machine, because I want to copy all keys, trust data etc. [1] However, on my new machine, nothing seems to be recognising the GnuPG files: * "gnupg --list-keys" is empty ("gnupg --help" confirms that ~/.gnupg is the folder being used) * The "GnuPG keys" pane of "GNOME Password and Keys" is empty * Email client is not able to encrypt/decrypt messages How can I diagnose what the problem is? Failing that, how can I export/import an entire .gnupg folder (including trust data)? Regards, David [1] https://www.phildev.net/pgp/gpg_moving_keys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users