1 |
On Thu, 25 Apr 2019 12:57:54 +0100 |
2 |
Marek Szuba <marecki@g.o> wrote: |
3 |
|
4 |
> On 2019-04-24 20:34, Rich Freeman wrote: |
5 |
> |
6 |
> > The only reason to have a separate primary key is to have an offline |
7 |
> > copy, |
8 |
> |
9 |
> Not quite. First and foremost, you do not want to have an offline copy |
10 |
> of the primary private key - you want to have the primary ENTIRELY |
11 |
> offline. |
12 |
|
13 |
This has confused me. Granted, GLEP 63 does not say anything about |
14 |
where to store the primary key but I followed the Debian guide at |
15 |
https://wiki.debian.org/Subkeys, believing it to be best practise and |
16 |
if I understood it correctly, it only removes the primary private key |
17 |
from the online copy and not the entire primary key. The --list-keys |
18 |
option shows an [SC] primary with an [E] subkey and an [S] subkey and I |
19 |
gathered from a conversation in #gentoo-dev that this is correct. Are |
20 |
you suggesting the [SC] primary should not appear here at all? |
21 |
|
22 |
> Secondly, the reason for that is not (just) to have a backup |
23 |
> but that the primary private key gives you virtually unlimited control. |
24 |
|
25 |
Are you contradicting yourself here? You explained why the private key |
26 |
must be kept secure but you didn't say anything about the rest of the |
27 |
primary key. |
28 |
|
29 |
-- |
30 |
James Le Cuirot (chewi) |
31 |
Gentoo Linux Developer |