On Mon, Dec 8, 2014 at 10:12 AM, gnupgpacker <[email protected]> wrote: > Kristian, > I am a little bit confused about your key design ;) > > Main key has options SC. > There is an active newer signing key S, so this will be always used for > signing?
My understanding is that if you have multiple signing subkeys on one computer, GnuPG will use the most-recently-created signing subkey for signing messages by default. However, nothing stops you have from creating multiple signing subkeys and distributing these to your different devices (e.g. SubkeyA for your desktop, SubkeyB for your laptop, etc.). Since all these signing subkeys are bound to your main key, signatures generated by any of them are valid. Recipients who verify the signatures do not need to be aware of the existence of other subkeys, so long as the binding between the main key and the subkey used to sign the message exists. > And there are two active encryption keys E: > GPG uses in my opinion only the key generated latest, isn't it? Encryption subkeys are handled a bit differently. Typically GnuPG will encrypt messages to the recipient's most-recently-created encryption subkey. This makes per-device encryption subkeys a bit less practical. > So how to desire which key is used? You can specify a particular keyID by appending an exclamation point ( ! ) after the key ID, fingerprint, etc. See https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html for details. As an example, I have a DSA main key with the ID 0xDA122186. When I generated it I also generated an ElGamal encryption subkey. Later, I generated RSA encryption and signing subkeys. If I sign a message, GnuPG will use the RSA signing subkey by default. If someone encrypts a message to me, they will encrypt a message to the RSA encryption subkey (as it is newer than the ElGamal one). If I wanted to force GnuPG to sign a message with my DSA main key instead of the RSA subkey, I could use the command "gpg --clearsign --armor -u DA122186!". Similarly, if someone wanted to force a message to be encrypted to my ElGamal subkey they could use "gpg --encrypt --armor -r 19DF6C14!" Cheers! -Pete > And what's about backward compatibility? > > Thanks for any hint, regards, Chris > > >> -----Original Message----- >> From: Gnupg-users [mailto:[email protected]] On Behalf Of >> Kristian Fiskerstrand >> Sent: Sunday, December 07, 2014 10:16 PM >> Tomo: you'll find that my key have a few subkeys at least due to these >> practises. It doesn't provide any issue for either keyservers or to >> use more generally, but you are correct in that the information is >> retained. > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Pete Stephenson _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
