Robert J. Hansen wrote: > IIRC, it was a response to laws like the United Kingdom's RIPA which > allows the authorities to demand encryption keys from users. By > separating encryption and signing into separate subkeys, and making the > signing subkey the 'master' one, it allows users to divulge encryption > subkeys to the authorities when required, then immediately revoke those > encryption subkeys and resume encrypted communications with others. > > I may be in error.
In my case, it's because I like to change my encryption key on a regular basis (so that if an encryption key ever were to be cracked, it limits the damage to a smaller number of files/messages), but don't want the hassle of having to go around and get everyone to sign my new key every time I issue a new one. So, I have a master signing key with a long (or infinite) lifetime, but an encryption subkey with a short lifetime. When the encryption subkey expires, I generate a new encryption subkey which is signed by the master key, so all my contacts still consider it to be valid without them having to sign it (at a keysigning party etc.) _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
