Hi Andrew, I didn't think that it would actually hurt anything, but, I wasn't sure about the internals. I'm a little bit OCD (or anal, or whatever neo-psychobabble term applies), and having the authentication capability on the signing key, after creating a authentication subkey just LOOKED wrong to me, whether it is wrong, is another story...
Thank you, Roy A. Gilmore On 12/04/2016 03:09 PM, Andrew Gallagher wrote: > Hi Roy, > > You normally don't need to remove the A capability from a signing key. By > default, gnupg will use the most recently created valid subkey with the > appropriate capability, so all you need to do is create a new A subkey and it > will be used in preference to the old one. Mathematically, authentication is > just a special case of signing, so having both S and A on a subkey does not > introduce extra vulnerabilities (that we know of). > > It is technically possible to change the capability flags on any key, but you > can't do it with a vanilla version of the software. There is a patch > somewhere in the archives of this list but I would recommend against it. The > only use case where it would be necessary to remove a capability flag would > be if you had created an encryption key that also had S or A capability - but > it's almost impossible to do it by accident and in such cases it's safer to > revoke the key and start again. > > Andrew Gallagher > >> On 4 Dec 2016, at 21:29, Roy A. Gilmore <[email protected]> wrote: >> >> Hi, >> >> I have a keypair that was initially generated with the defaults, so the >> signing key also has the authenticate capability enabled. I want to add >> a separate authentication subkey for use with an OpenPGP smartcard. Is >> there any way to turn the authenticate capability off on the signing >> key? It doesn't sound like it should be that difficult, but I've >> searched using several different search terms, and I can't seem to find >> a way to do this. >> >> Roy A. Gilmore >> >> _______________________________________________ >> Gnupg-users mailing list >> [email protected] >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
