On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: > * If you don't want to buy hardware, use an offline master key. Create > a certification only master key using something like PGP Clean Room > on a non-networked host, and store that on a USB key you only ever put > into your machine when running your clean, non-networked, > environment. Create at least 2 subkeys - signing + encryption - and > use those in your day to day work. You then only need the master key > when dealing with signing other keys, or updating your subkeys. In > the event of your subkeys being compromised or lost or whatever you > can just regenerate; because your master key is offline it should > remain secure meaning you don't have to go through the pain of > getting cross signatures again.
- Which key goes on the paper slab that everybody uses to collect signatures? The certification only master key? - For which (set of) keys should I have revocation certificates on file? - What key goes into the Debian keyring? A signing (only?) subkey of the certification master key? Is it recommended to have this key "available", for example in a Gnuk on my keychain next to the key to my home? - Which (set of) keys goes to the key servers? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
