What should '--local-user' mean when multiple secret keys match?
Andrew Gallagher
andrewg at andrewg.com
Tue Jan 29 11:45:06 CET 2019
On 28/01/2019 23:14, Daniel Kahn Gillmor wrote:
> So, how could GnuPG make this decision more correctly and safely by
> default for normal users who want to transition in an orderly fashion to
> a new key? A couple ideas:
>
> * sign with the most recently-created key available. (does this mean
> we're looking at the age of the primary, or of the subkey?)
I think "Most recent valid subkey of the most recent valid primary key"
is a sensible default. "Most recent valid subkey no matter how old the
primary is" would be the other option, but I can't imagine a use case
where it would be preferable.
> * provide explicit prioritization mechanisms between these keys that
> are easy to use and easy to revert
This would be useful for advanced users, but probably overkill for most.
> * allow locally disabling subkeys independently from primary keys, or
> even disabling key usage flags on the primary key.
Changing the usage flags on the primary has been a longstanding feature
request, but if your first two suggestions were implemented it wouldn't
be necessary for this use case.
--
Andrew Gallagher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190129/49ae6abf/attachment.sig>
More information about the Gnupg-devel
mailing list