Re: Why Signing key part of Master key
On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote: > Hi all, > > I am still working on setting up the "perfect" setup. When I created the > master, it was [SC]. I > question, why is the signing key part of the master key? Why not have it be a > subkey? Almost > everywhere I looked, the two were a single key except this site > (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own > tests the signing > functionality worked the same when they the signing key was a subkey versus a > part of the master. > > Are there any advantages of disadvantages either way? > > Thank you, its mostly a sensible default as people tend to keep key material on disk on online computers to begin with.. the benefits of a separate primary normally comes out in scenarios with stronger security requirement, at which point the manual interaction required to set it up isn't the biggest hurdle anyways, but actually keeping up with operational security is. (note, its not the SC capable primary that is the issue to begin with, but actually keeping it isolated, the primary will always be able to become signing-capable anyways by updating the flags on its self-signature) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why Signing key part of Master key
February 24, 2019 2:39 PM, "Kristian Fiskerstrand" wrote: > On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote: > >> Hi all, >> >> I am still working on setting up the "perfect" setup. When I created the >> master, it was [SC]. I >> question, why is the signing key part of the master key? Why not have it be >> a subkey? Almost >> everywhere I looked, the two were a single key except this site >> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own >> tests the signing >> functionality worked the same when they the signing key was a subkey versus >> a part of the master. >> >> Are there any advantages of disadvantages either way? >> >> Thank you, > > its mostly a sensible default as people tend to keep key material on > disk on online computers to begin with.. the benefits of a separate > primary normally comes out in scenarios with stronger security > requirement, at which point the manual interaction required to set it > up isn't the biggest hurdle anyways, but actually keeping up with > operational security is. > > (note, its not the SC capable primary that is the issue to begin with, > but actually keeping it isolated, the primary will always be able to > become signing-capable anyways by updating the flags on its self-signature) > > -- > > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > > Public OpenPGP keyblock at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > > Corruptissima re publica plurimæ leges > The greater the degeneration of the republic, the more of its laws I was under the impression that best practice was to keep the master key offline in cold storage. If so, wouldn't that make having the signing key impossible to use? And if so, is it possible to remove the Signing functionality from my Certificate key that I already generated? --- Farhan Khan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why Signing key part of Master key
On Sun, 2019-02-24 at 19:34 +, Farhan Khan via Gnupg-users wrote: > Hi all, > > I am still working on setting up the "perfect" setup. When I created the > master, it was [SC]. I > question, why is the signing key part of the master key? Why not have it be a > subkey? Almost > everywhere I looked, the two were a single key except this site > (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own > tests the signing > functionality worked the same when they the signing key was a subkey versus a > part of the master. > > Are there any advantages of disadvantages either way? > Gentoo policy [1] requires split signing subkey. The main advantage is that you can then store primary key offline, and not have it exposed the same way subkeys are. [1]:https://www.gentoo.org/glep/glep-0063.html -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why Signing key part of Master key
Hi all, I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I question, why is the signing key part of the master key? Why not have it be a subkey? Almost everywhere I looked, the two were a single key except this site (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing functionality worked the same when they the signing key was a subkey versus a part of the master. Are there any advantages of disadvantages either way? Thank you, --- Farhan Khan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: user id question
On 2/23/2019 4:34 PM, MFPA wrote: > Hi > > > On Saturday 23 February 2019 at 7:06:20 AM, in > , john doe wrote:- > > >> Is it acceptable to have multiple 'user ID's with the >> same address e-mail? > > Yes. It might be simpler to have a single UID containing only the > email address and with neither form of your name. > > Thank you everyone for your answers. What I understand is that there is no clear convention. Lets say that my first name 'abcdefgh' is and my short name is 'abcd', based on this thread I'll use something like: abcdefgh abcd LAST-NAME Should I put the short name between '()' or quoates or is the above example the best way forward? Thanks again for the help/input. -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users