Several master keys vs. master key and subkeys
Hi everyone, really sorry to ask so many stupid questions. I'm planning to write a nice howto guide when I finally figured everything out, but before I can do that I need to know what I am talking about :) I want to have one master key with a super strong passphrase, which will never expire and will basically never be used except for building my web of trust. For every day use I would like to have subkeys which will expire every 2 years. So far I understand that GPG can create subkeys and I have found the following two articles to be very good: https://alexcabal.com/creating-the-perfect-gpg-keypair/ http://wiki.debian.org/subkeys I have to say that the part about removing the original signing subkey (whatever that means) seems to be a bit confusing. After a while I stumbled upon this post: http://www.davidsoergel.com/gpg.html This person claims that subkeys are not the best option because: ### QUOTE ### Disadvantages of subkeys: * I find them Confusing. * There are disturbingly many (i.e., any at all) bug reports on the web about gpg software handling subkeys incorrectly. * It is possible to export a subkey and attach it to a different primary key, creating a potential security hole. * No ability (without a lot of hassle, anyway) to use different passphrases on primary and subkeys. ### ENDQUOTE ### Is this really true? Do subkeys have the same passphrase as the master key? I find this quite hard to believe. I would like to know if David Soergel's approach has any flaws. As I understand it, it works the same as using real subkeys, I would create two normal keys, declare one to be my master key and one to be my first subkey. Then I would sign the subkey with the master key which would enable me to create a revocation cert for this subkey later, if needed? Any reasons why I should stick to GPGs "native" subkey feature? Many thanks for your help in advance! Best regards, Martin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Several master keys vs. master key and subkeys
On Tue, 16 Jul 2013 01:16, martin.brochh...@gmail.com said: > This person claims that subkeys are not the best option because: > > ### QUOTE ### > > Disadvantages of subkeys: > > * I find them Confusing. They mandotory part of the standard and solve the problem of having separate keys for separate purposes (at least encryption and signing). > * There are disturbingly many (i.e., any at all) bug reports on the web > about gpg software handling subkeys incorrectly. I am not aware of any problems with them. They have been with us for 15 years! > * It is possible to export a subkey and attach it to a different primary > key, creating a potential security hole. That is only possible for the owner of the primary key. It is further not possible to add a signing subkey if you can't create a signature with that signing subkey. There is no problem adding a foreign encryption subkey to your key: Either you can use (know the protection passphrase) that subkey - then you are the owner; or you can't use it - then it is useless. > * No ability (without a lot of hassle, anyway) to use different passphrases > on primary and subkeys. gpg works correctly if you have different passphrases. I use a different one for my offline key than for my subkey-only online key. For the user experience different passphrases are the worst thing you can do. Remembering a passphrase is difficult enough; entering two different passphrases for sending mail (signing) and reading mail (decryption) is a no-go. > I would like to know if David Soergel's approach has any flaws. As I > understand it, it works the same as using real subkeys, I would create two > normal keys, declare one to be my master key and one to be my first subkey. Oh dear, that is Lutz's pgp 2.6 approach which fortunately led to a solid spec named OpenPGP. > Any reasons why I should stick to GPGs "native" subkey feature? Yes, because that is a core concept of OpenPGP. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Several master keys vs. master key ,and subkeys
On 2013-07-16 10:52, gnupg-users-requ...@gnupg.org wrote: Message: 2 > Date: Tue, 16 Jul 2013 10:09:38 +0200 > From: Werner Koch > To: Martin > Cc: gnupg-users@gnupg.org Subject: Re: Several master keys vs. master key and subkeys > Message-ID: <87k3krj58d@vigenere.g10code.de> Content-Type: text/plain; charset=us-ascii On Tue, 16 Jul 2013 01:16, martin.brochh...@gmail.com said: >This person claims that subkeys are not the best option because: ... >Any reasons why I should stick to GPGs "native" subkey feature? Yes, because that is a core concept of OpenPGP. Sorry if this is wordy, but I want to make sure I cover most details.. :) I thought I had grasped the concept of all various key parts, but now I'm getting a bit unsure.. A GnuPG key has a private key and a public key. When you first create it, you get these two parts, and a different kind of "keys", a primary key (usage: SC), and a sub key for encryption (usage: E). You can add and revoke sub keys, as much as you want, as well as UIDs, for when you change or add mail addresses, Jabber IDs, etc. You can also make a version of your key where the primary key is deleted and you have two sub keys, one for encryption (usage: E) and one for signing (usage: S). But so far, I've always thought that "changing password for a subkey" was changing the password for, say like in the second example above? You have a version B of your key, with a different password than version A (where the primary key is still present)? Not that one particular subkey per se has a different password? If I were to create two different signing subkeys (usage:S), not sure why, but still, I could give them different passwords? If you _can_ assign a separate, different password to a particular subkey, I assume it is done under --edit-key, but how? Just for the record, I use GnuPG 1.4.13 on Windows XP and Linux Mint 14 Nadia. I tend to use commandline 90% of the time, but for text snippets on my work PC, I also use Cryptophane. On my work PC I run it locally (local.bat with set GNUPGHOME=.) from inside a mounted TrueCrypt volume. Cryptophane is also set to 'no-config'. I have four versions of my key (RSA): 1. "Main key", which is only stored offline, and which contains primary key and all past and present subkeys, including revoked ones. (None so far). This key has passphrase A. 2. The key I use, which is kept inside the TrueCrypt file mentioned above. It has my current subkeys for encryption and signing, but not the primary key. This key has passphrase B. 3. A travel key, basically GnuPG 1.4.13 and Cryptophane on a USB thumbdrive. It only has my public key. 4. Same as 3. on my work mobile, using Android and APG 0.8. Only public key present. The reason for 3 and 4 is that I discovered that during the day, I more often want to _encrypt_ something to myself, a file or a short piece of text, in various situations. It can be before uploading a diary note or a customer file to Dropbox or pretty much just anything. Decryption happens later, when at my desk or in more secure environments, using key version 2. This is also based on something that may have been acknowledged on this list more than once; That at the end of the day, you encrypt to yourself much more often than you do to other people, who can't be bothered with encryption anyway. ;) Best, Sin T ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Several master keys vs. master key and subkeys
reflum, On Tue, 2013-07-16 at 07:16 +0800, Martin wrote: > * I find them Confusing. So what's the point here? If he doesn't yet the concept it doesn't mean it is bad. It's just a statement about him, not the standard. e.g. I haven't got the concept of armoured concrete, yet I life in a house build this way and it works great for me. > * There are disturbingly many (i.e., any at all) bug reports on the > web about gpg software handling subkeys incorrectly. I have never seen any. There may be. But there may be also bugs for all other parts of all other software. > * It is possible to export a subkey and attach it to a different > primary key, creating a potential security hole. To use really use the subkey you need to be abled to use it anyway. If you are already be abled to use it (having a copy of the secret key material, knowing the passphrasse...) there is no longer need to attach it to a diffrent key. You can already use it. To me this sounds like half-thought thingy: I don't understand the concept fully so I consider it to have security problems. > * No ability (without a lot of hassle, anyway) to use different > passphrases on primary and subkeys. For the few setups I used this before it worked for me. > I would like to know if David Soergel's approach has any flaws. As I > understand it, it works the same as using real subkeys, I would create > two normal keys, declare one to be my master key and one to be my > first subkey. Biggest problem to me with this (some used do it so it *is* a real world problem to me): this breaks the Web of Trust. The normal calculation doesn't work anymore as expected. Validity is calaculated wrong (as those are leaf nodes in the WoT and have only one other node connected). Also signing those keys isn't a better option: they are replaced yearly or something. So as soon as the key is expired or revoked I would need to re-sign the replacing key. Also if I trust both keys in some way the person counts twice if he signs some other keys. If he does that for some years he may have a sum of keys I have signed and trust. If he un-expires them so they become valid again he can sign some other key and that one becomes valid and trusted to me with just that person as trust path. So the person can 'inject' a valid key as of the view of my gpg. So for me that often leads to alterning the trustdb manully that adds extra work and has some risks of it's own. See above. > Then I would sign the subkey with the master key which would enable me > to create a revocation cert for this subkey later, if needed? You can always revoke any primary or subkey. You just need to be abled to use the corressponding certification key (your primary key) or create a revocation certificate (signature) after creating the key and use that late. (there are more ways to invalidate a key but I don't want to confuse you more than needed :). Hope my post is of any help. -- Philipp. (Rah of PH2) signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Several master keys vs. master key ,and subkeys
On Tue, 16 Jul 2013 12:21, biggles.tren...@gmail.com said: > A GnuPG key has a private key and a public key. When you first create All public key algorithms work with the concept of a keypair. GnuPG does the same. This is the low level maths. To make it usable we need to bind mail addresses to the key (user IDs) and securely bind them to the key (self-signatures). That is the same for OpenPGP and S/MIME. However, OpenPGP goes further by working with /keyblocks/. A keyblock is a collection of primary key with user IDs and several subkeys, bound by self-signatures and back-signatures to the primary key. Thus a keyblock as commonly two keys: A primary and a subkey. Now this keyblock exists in two variants: as a public keyblock and as a secret keyblock. The latter also has the private keys and thus needs to be kept secure. > it, you get these two parts, and a different kind of "keys", a primary > key (usage: SC), and a sub key for encryption (usage: E). Right. > You can add and revoke sub keys, as much as you want, as well as UIDs, > for when you change or add mail addresses, Jabber IDs, etc. Correct. > You can also make a version of your key where the primary key is > deleted and you have two sub keys, one for encryption (usage: E) and > one for signing (usage: S). That is a GnuPG feature and is only done for the private part of the primary key. It is a private extension to OpenPGP but more or less irrelevant to the standard becuase it affects only the private key (OpenPGP uses the term "secret key" instead of "private key" - it doesn't matter). > You have a version B of your key, with a different password than > version A (where the primary key is still present)? Not that one > particular subkey per se has a different password? Usually this does not happen because GnuPG < 2.1 has no feature to merge secret subkeys. > If I were to create two different signing subkeys (usage:S), not sure > why, but still, I could give them different passwords? Yes. The passphrtase protects the secret part of each key. It just happens that gpg always syncs them to work withnthe same passphrase. > If you _can_ assign a separate, different password to a particular > subkey, I assume it is done under --edit-key, but how? You can't without hacking the code or making advanced use of gpgsplit. > I have four versions of my key (RSA): > 1. "Main key", which is only stored offline, and which contains > primary key and all past and present subkeys, including revoked > ones. (None so far). This key has passphrase A. Same here. > 2. The key I use, which is kept inside the TrueCrypt file mentioned > above. It has my current subkeys for encryption and signing, but not > the primary key. This key has passphrase B. Okay. > 3. A travel key, basically GnuPG 1.4.13 and Cryptophane on a USB > thumbdrive. It only has my public key. A public key is a public key is a public key. No need to protect it, you may only want to remeber the fingerprint. > 4. Same as 3. on my work mobile, using Android and APG 0.8. Only > public key present. Okay. I have my public key on all of my boxes because I use it to encrypt the backups (actually I encrypt the backups to several keys). > The reason for 3 and 4 is that I discovered that during the day, I > more often want to _encrypt_ something to myself, a file or a short > piece of text, in various situations. It can be before uploading a > diary note or a customer file to Dropbox or pretty much just That is the cool thing with public key crypto. > anything. Decryption happens later, when at my desk or in more secure > environments, using key version 2. Right. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Several master keys vs. master key ,and subkeys
On 2013-07-16 15:32, Werner Koch wrote: You have a version B of your key, with a different password than version A (where the primary key is still present)? Not that one particular subkey per se has a different password? Usually this does not happen because GnuPG < 2.1 has no feature to merge secret subkeys. If I were to create two different signing subkeys (usage:S), not sure why, but still, I could give them different passwords? Yes. The passphrtase protects the secret part of each key. It just happens that gpg always syncs them to work withnthe same passphrase. If you _can_ assign a separate, different password to a particular subkey, I assume it is done under --edit-key, but how? You can't without hacking the code or making advanced use of gpgsplit. Ah, so even if technically simplified, my previous understanding was basically correct. Thank you very much for this clarification, very useful! Okay. I have my public key on all of my boxes because I use it to encrypt the backups (actually I encrypt the backups to several keys). Which is basically the same then, though I may have fewer boxes (3, with mobile included, if we really should count it as a box) :) The reason for 3 and 4 is that I discovered that during the day, I more often want to _encrypt_ something to myself, a file or a short piece of text, in various situations. It can be before uploading a diary note or a customer file to Dropbox or pretty much just That is the cool thing with public key crypto. +1! The day the practical possibilities of this dawned on me was a day of awsumness. Bests Sin T. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users