On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote:
>> I tried to generate an RSAv4 certification-only key with GnuPG, but >> failed, even in "expert mode". >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I >> misunderstand the RFC? > It's not impossible - 1.4.3 (not released yet) supports certify-only > keys like you want. OK, thanks. > It's not necessarily a good idea though: some people before agreeing > to sign a key will ask for a signed message to prove that you "own" > the secret portion of the key they are about to sign. I would obviously have at least one data-signing subkey. I presume these people would take a signature from such as subkey. Or decryption of a nonce they sent me encrypted to an encryption subkey. > Why do you want such a key? First, separation of roles. Doesn't hurt. More importantly, my wishes on the primary key and on data signature keys are different. The primary key is my electronic identity; it should be humongous. If it can hold secure for all my life, then I want it to. My data signatures, on the other hand, for most of them, a week of security is enough (but sometimes a few years is nice). Paying the cost of big signature size is less worth it, at least until computers again get too fast or factorisation becomes easier or ... Maybe I even *want* them to fade away into fakability over time. Who knows what I will be in twenty years? I may be so unlucky as to be a politician then. I wouldn't want some of my teenage opinions or acts to haunt me back, would I? You could argue I could have this without marking the key as certificate-only, by never issuing data signatures with the primary key. That's harder on me. I have to be more cautious. Over the course of twenty years, I *will* screw up. Now, I'm starting to wonder if I can retroactively change the capabilities of the key. I just have to reissue the self-signature on the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change the key flags.) -- Lionel _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
