On Thu, Mar 05, 2009 at 12:14:24PM -0500, gerry_lowry (alliston ontario canada) wrote: > David Shaw wrote, in part: > > You can have one subkey for encryption, one subkey for signing, and > leave your primary key for certification. > > This lets you do tricks like keeping your primary key offline. > > This is useful as the primary key is the most "valuable" key (since it > can make more subkeys), > > Question # 1: does primary key here mean "primary PUBLIC key"?
No. Primary secret key. There is no risk in keeping a primary public key online. It's public already. > Question # 2: without the pass phrase, how can one make more subkeys? You cannot. To make more subkeys you need both the passphrase and the primary secret key. > Question # 3: what determines that a key is a "primary" key? > (is it because --gen-key was used instead of > --edit-key?) Essentially, yes. --gen-key always makes a primary key. If you accept the default, it also makes you a single subkey. You can add more subkeys to it later via --edit-key. > Question # 4: by offline, do you mean not on a keyserver? > (versus not on your local hard disk?) By offline I mean not even on your local hard disk. Offline, say, on a USB flash disk, or a CD-R. David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
