Paul R. Ramer free10...@gmail.com writes:
On July 9, 2014 11:40:06 AM PDT, MFPA
2014-667rhzu3dc-lists-gro...@riseup.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 9 July 2014 at 5:54:36 PM, in
mid:3222188.kZ1ztGDBqg@inno, Hauke Laging wrote:
Am Di 08.07.2014, 14:41:36 schrieb J. David Boyd:
which means that any of them can make changes to your
keys.
And that is wrong.
Please can you elaborate on how it is incorrect to say that somebody
who knows the passphrase to a secret key can make changes to that key.
Would this maybe be the case when using an encryption subkey with an
offline main key?
If you make encryption and signing subkeys you can export them
(i.e. the secret subkeys), create a new gnupg home directory, import
the subkeys, change the password on them, and finally, export and
distribute them to the people who are supposed to use them.
By doing this you can have a person who manages the master key
separately under another password and the authorized users can use the
encryption and signing secret subkeys without being able to make
changes to them.
The person who manages the master key can add new UIDs for the any new
user and give that person a copy of the secret subkeys with the
password. The only problem that I see right away is revoking control
when one of the users leaves. One way that you could remedy this is
to revoke the old subkeys and issue new ones.
I am not recommending this method but it is a way that it can be done.
Anyway...
Cheers,
-Paul
--
PGP: 3DB6D884
Wow, that would be a lot of work. Actually, I didn't even know you could do
that. GPG is versatile, to say the least.
Dave
PGP: 96569433
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users