Re: trying to understand UID and subkeys

Thu, 05 Mar 2009 06:12:51 -0800 

On Mar 5, 2009, at 4:22 AM, Felipe Alvarez wrote:




Me again. Sorry to sound newbish. I've googled, but I haven't found  
anything quite as detailed enough for me to grasp the 'whole  
forest' (so to speak). My question is regarding 'subkeys.' Let me  
know if I am getting the wording/terminology incorrect.



I understand that when I 'gen-key' I create a 'signing' key (to  
identify tampering/modification) and an 'encryption' key (shouldn't  
this be a DEcryption key? Wouldn't I use this for DEcrypting docs  
encrypted with my public key? But I digress).



I am also able to add extra UIDs to my public key, so I can have,  
say 4 different email addresses, all attached to the same public  
key. Does this mean I have several SIGNING keys, or several  
DEcryption keys?



Neither.  It means you have 4 different ways other people can find  
your key.  An OpenPGP key is made up of a pile of keys (a primary key  
plus some number of subkeys) and a pile of user IDs.  Any of the user  
IDs can be used to locate the key as a whole.  Sometimes people set  
different preferences (essentially hints to the sender on how to  
encrypt data) on different user IDs, but the key that they encrypt to,  
and thus the key that you decrypt with, remains the same.



Why would I want to create new 'subkeys?' Of what benefit to have,  
say 5 subkeys belonging to one (master)(private)(signing) key?



One reason is to have different keys for different purposes.  You can  
have one subkey for encryption, one subkey for signing, and leave your  
primary key for certification.  This lets you do tricks like keeping  
your primary key offline.  This is useful as the primary key is the  
most "valuable" key (since it can make more subkeys), so protecting it  
is a good idea.



What do the letters to the right of the words "usage" mean?  
(S,C,A,E) I can only guess |S|ign, |E|ncrypt, ....


(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)

(A)uthenticate: authenticate yourself to a computer (for example,  
logging in)

(E)ncrypt: encrypt data

David


_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users






















					Reply via email to