| 1 |
On 4/24/19 4:19 PM, Rich Freeman wrote: |
| 2 |
> If it is the case that Nitrokeys can't support a separate primary key, |
| 3 |
> I'd suggest modifying the GLEP to remove that requirement when a |
| 4 |
> smartcard is in use. Its main purpose is to keep a key component |
| 5 |
> offline, and if the key is generated on the card that is already |
| 6 |
> accomplished. Maybe somebody has a suggestion for how to make the two |
| 7 |
> work together, otherwise I'll go ahead and suggest a GLEP revision for |
| 8 |
> the next Council meeting. |
| 9 |
|
| 10 |
The nitrokey has 3 slots, one signing (which can hold signing subkey or |
| 11 |
primary), encryption and authentication. So yes, the primary should be |
| 12 |
kept on an offline system or on a separate token that isn't brought |
| 13 |
around on regular basis, while the daily use operations use subkeys that |
| 14 |
reside on the token. |
| 15 |
|
| 16 |
The GLEP should not be changed on the requirement for distinct signing |
| 17 |
subkey, this is one of the expected results of it to begin with. |
| 18 |
-- |
| 19 |
Kristian Fiskerstrand |
| 20 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 21 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives