1 |
On Sun, 11 Jan 2015 20:55:29 -0500 |
2 |
Rich Freeman <rich0@g.o> wrote: |
3 |
|
4 |
> On Sun, Jan 11, 2015 at 8:34 PM, Brian Dolbec <dolsen@g.o> |
5 |
> wrote: |
6 |
|
7 |
> > I added a little more info to the First-Use wiki page, I included a |
8 |
> > link to a great webpage about setting up gpg keys. |
9 |
> > |
10 |
> > https://alexcabal.com/creating-the-perfect-gpg-keypair/ |
11 |
> > |
12 |
> > there are lots more, but I like that one, it is clear, concise,... |
13 |
> |
14 |
> From that site: By default GPG creates one signing subkey (your |
15 |
> identity) and one encryption subkey (how you receive messages intended |
16 |
> for you)...Use GPG to add an additional signing subkey to your |
17 |
> keypair. This new subkey is linked to the first signing key. Now we |
18 |
> have three subkeys. |
19 |
> |
20 |
> But, whatever. If we want a total of three keys in the key then I |
21 |
> don't really have a problem with that. I'm not sure what it buys you |
22 |
> other than lots of confusion about how to sign the right thing with |
23 |
> the right key. :) |
24 |
> |
25 |
|
26 |
|
27 |
Ok, the original text: |
28 |
|
29 |
1. Create a regular GPG keypair. By default GPG creates one signing |
30 |
subkey (your identity) and one encryption subkey (how you receive |
31 |
messages intended for you). |
32 |
|
33 |
|
34 |
That looks like a slight error in the authors wording. |
35 |
|
36 |
It create one primary key with signing, authorization capability, and a |
37 |
one encryption sub-key. |
38 |
|
39 |
When you add a signing subkey, that subkey then becomes the default key |
40 |
used for signing with. If you have more than one signing subkey, the |
41 |
default can be set in gnupg.conf without editing the key. Otherwise |
42 |
you must specify which key to sign with. It is much easier to |
43 |
revoke that signing subkey and add a new one, without the need to |
44 |
create an entirely new key, losing all the key signatures it is signed |
45 |
with. If you revoke a primary key, all subkeys it contains are revoked |
46 |
as well. In that article the author describes how to generate the |
47 |
subkeys and remove the original (master) keypair for installation on a |
48 |
laptop, desktop, etc. (separate subkeys for each machine) which may be |
49 |
stolen. You keep the original(master) keypair in a secure location (eg: |
50 |
bank safe deposit box, etc.) If the laptop is stolen, the thieves do not |
51 |
have access to modify the gpg keys (even if they have the password), |
52 |
and those specific subkeys can be easily revoked, without losing your |
53 |
entire gpg key and the signatures it has accumulated. Using your master |
54 |
keypair you generate new subkeys for installation on your replacement |
55 |
laptop, and continue... |
56 |
|
57 |
-- |
58 |
Brian Dolbec <dolsen> |