Question about signing subkeys
David Shaw
dshaw at jabberwocky.com
Fri Oct 28 18:13:24 CEST 2005
On Thu, Oct 27, 2005 at 11:09:45PM -0500, Joe Vender wrote:
> For what reasons would someone use a subkey as the signing key
> instead of using the primary key as the signing key? In other words,
> what are the advantages and disadvantages, if any, of using a subkey
> instead of a primary key for signing?
Advantages:
* Allows you to keep your primary key offline (a key that isn't there
is really difficult to compromise either accidentally or not).
* Allows you to roll your signing key (via expiry or revocation)
every now and then without losing signatures on your key from other
people.
* Allows you to use a different algorithm for signing than you use
for certification/identity. For example, using a big RSA key is
annoying for clearsigning since the signatures are large... but many
people like using a big RSA key for their primary key because it's
large. Using a signing DSA subkey and a big RSA primary is the best
of both worlds.
Disadvantages:
* Some keyservers can't handle it. This isn't too much of a problem
these days.
David
More information about the Gnupg-devel
mailing list