Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-08-01 Thread Gabriel Philippe
On Tue, Aug 1, 2017 at 1:45 PM, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote: >>(...) > Shouldn't "auto-key-locate" in their gpg.conf take care of this? >> (...) > Doesn't "auto-key-retrieve" in their gpg.conf take care of this? Well, these are not defaults, hence unlikely to be defined

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-08-01 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Monday 31 July 2017 at 10:11:16 PM, in , Gabriel Philippe wrote:- > A good practice is to define close expiration dates > for keys and > subkeys, and regularly postpone

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Gabriel Philippe
On Mon, Jul 31, 2017 at 5:28 PM, Andrew Gallagher wrote: > There are two enormous holes in this argument: > > 1. If the people you communicate with regularly don't do "gpg > --refresh-keys" regularly they won't find out whether *anything* has > *ever* been revoked. A good

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Mario Figueiredo
On Mon, 31 Jul 2017 18:38:09 +0200 Damien Goutte-Gattat wrote: > The problem with recommanding unnecessary steps is that they will > confuse the beginner and make him think that GnuPG is more difficult > to use than it already is. Which essentially describes my whole

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Damien Goutte-Gattat
On 07/31/2017 05:49 PM, Dirk-Willem van Gulik wrote: For what it is worth - the various best practices at `riseup.net’[1] seem to strike a good middle ground. For what it is worth, I disagree. The main problem I have with that document is that it implies the user should care about a lot of

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Peter Lebbing
On 31/07/17 17:49, Dirk-Willem van Gulik wrote: > For what it is worth - the various best practices at `riseup.net > ’[1] seem to strike a good middle ground. IMO, the good middle ground is the defaults. A wide middle. Maybe more a country than a ground ;-). And I wasn't very

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Dirk-Willem van Gulik
> On 31 Jul 2017, at 17:41, Robert J. Hansen wrote: > >> Could probably be a direct application of this Debian article (1) on >> subkeys. And meant to to facilitate the recovery of the web of trust in >> case of disaster. >> >> On a separate tutorial (2), Alan Eliasen

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Mario Figueiredo
On Mon, 31 Jul 2017 15:44:52 +0100 Mario Figueiredo wrote: > On a separate tutorial (2), Alan Eliasen strongly advises against this > practice. I'm replying to my own post, because the above seem a little like I'm trying to make an argument from authority. That was not my

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Robert J. Hansen
> Could probably be a direct application of this Debian article (1) on > subkeys. And meant to to facilitate the recovery of the web of trust in > case of disaster. > > On a separate tutorial (2), Alan Eliasen strongly advises against this > practice. I hate to say something bad about a tutorial

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Andrew Gallagher
On 2017/07/31 15:44, Mario Figueiredo wrote: > On a separate tutorial (2), Alan Eliasen strongly advises against > this practice. He does, but his argument is weak. The meat of it is: > Unless everyone that you communicate with regularly does something > like: > > gpg --refresh-keys > > to

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-31 Thread Mario Figueiredo
On Sun, 30 Jul 2017 22:19:22 +0200 Dirk-Willem van Gulik wrote: > I see a growing number of keys that have well managed & expired > separate subkeys for Signing, Encryption and Authentication switch > from ‘SC’ on the master key to just ‘C’ (all RSA, ignoring DSA). > >

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-30 Thread Robert J. Hansen
> Would anyone know if there is some documented best practice ? The standard advice applies: stick with the defaults. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-30 Thread Andrew Gallagher
> On 30 Jul 2017, at 21:19, Dirk-Willem van Gulik wrote: > > I see a growing number of keys that have well managed & expired separate > subkeys for Signing, Encryption and Authentication switch from ‘SC’ on the > master key to just ‘C’ (all RSA, ignoring DSA). > > Would

'sign (and cert)' or just 'cert' on a master key with subkeus

2017-07-30 Thread Dirk-Willem van Gulik
I see a growing number of keys that have well managed & expired separate subkeys for Signing, Encryption and Authentication switch from ‘SC’ on the master key to just ‘C’ (all RSA, ignoring DSA). Would anyone know if there is some documented best practice ? Dw