On Mar 3, 2008, at 4:59 PM, Neal Dudley wrote:
I have read that it is good practice to create a primary signing
key, and
then use subkeys on the card. This is the recommended method for
setup of
the FSFE card, which is just a fancy skin on the OpenPGP card. My
problem
is that now I have a DSA primary key on trusted media in a safe
location,
which I have to retrieve for any key signing I want to perform. I
cannot
simply sign the keys with the signing subkey stored on my OpenPGP
card.
Are there any security implications for using the same signing key for
normal document signing *and* key signing?
There are only minor security implications to this. The main reason
why you use the primary key to sign keys (called "certification", by
the way) is semantic. Identity in OpenPGP is a key plus a user ID.
That key, given the way keys are laid out, is the primary. The
primary is what certifies (self signs) the user ID.
It is mathematically possible to certify a user ID with a subkey, but
semantically that subkey isn't part of your identity, so the
certification is not used.
This brings me to my last question. Let us assume that I create a
primary
signing key with an expiration. I then get that key signed by several
people. When the expiration date is near, do I simply create a new
signing
key and sign it with the original key (before it expires, of
course)? Is
the new key then considered just as trusted as the original key,
which has
all the signatures on it? Is there any method for transferring the
signatures to the new key, or would the new key have to be resigned by
everyone that signed the original? Using the default WoT model,
doesn't
this mean that every third time the key is renewed, it would not be
trusted
and would need to be resigned by everyone that signed the previous
key?
No, you do not need to make a new key or do anything like that. If
and when your key expires, you can simply extend the expiration date
as needed. OpenPGP has "soft" key expiration that can be changed at
will by the keyholder.
David
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
