Gentoo Archives: gentoo-dev

From: James Le Cuirot <chewi@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard?
Date: Thu, 25 Apr 2019 21:54:55
In Reply to: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard? by Marek Szuba
1 On Thu, 25 Apr 2019 12:57:54 +0100
2 Marek Szuba <marecki@g.o> wrote:
4 > On 2019-04-24 20:34, Rich Freeman wrote:
5 >
6 > > The only reason to have a separate primary key is to have an offline
7 > > copy,
8 >
9 > Not quite. First and foremost, you do not want to have an offline copy
10 > of the primary private key - you want to have the primary ENTIRELY
11 > offline.
13 This has confused me. Granted, GLEP 63 does not say anything about
14 where to store the primary key but I followed the Debian guide at
15, believing it to be best practise and
16 if I understood it correctly, it only removes the primary private key
17 from the online copy and not the entire primary key. The --list-keys
18 option shows an [SC] primary with an [E] subkey and an [S] subkey and I
19 gathered from a conversation in #gentoo-dev that this is correct. Are
20 you suggesting the [SC] primary should not appear here at all?
22 > Secondly, the reason for that is not (just) to have a backup
23 > but that the primary private key gives you virtually unlimited control.
25 Are you contradicting yourself here? You explained why the private key
26 must be kept secure but you didn't say anything about the rest of the
27 primary key.
29 --
30 James Le Cuirot (chewi)
31 Gentoo Linux Developer