Keytypes and changing them
Christoph Anton Mitterer
cam at mathematica.scientia.net
Tue Nov 29 04:08:06 CET 2005
Hi :-)
Ok,.. it took some time,.. but now I came back to that issue ...
David Shaw wrote:
>On Wed, Nov 09, 2005 at 12:53:45AM +0100, Christoph Anton Mitterer wrote:
>
>
>>Or is there perhaps another software that I could use for chaging the
>>key usage flags (without damaging my key or changing the format or so).
>>Of course I'd prefer using GnuPG because I trust this the most :-)
>>
>>Once again,.. I'm only going to do this,.. if it wouldn't have
>>disadvantages for the security. But if the only disadvantage is that I
>>have more work when someone asks me to response to a challenge I would
>>live with that ;-)
>>
>>
>
>It has absolutely no impact on security, either for or against.It is
>a 90% meaningless flag, and is in fact happily ignored in virtually
>all OpenPGP applications. If you insist on making such a key, the
>only impact that you'll notice is that you won't be able to answer
>email challenges using GnuPG.
>
>
Well,... "insist" ... *g* ... let me explain:
If you look at professional CAs (e.g. DFN-PCA) they clearly state in
their Policies that e.g. they'll NEVER use their root keys for signing
data but only for signing keys (DFN does this with its root-PGP-keys for
example).
I think the advantage is,... that other users can at least think that
the key is more likely not used in daily-bussines (with potentially
insecure applications,.. Thunderbird,.. etc.) but only when the owner
signs a key.
But of course this is only a personal opinion ;-)
However:
=> It is defenitely sure that with a C-only primary key (and a S-subkey
- of course WITH backsigs) I would NOT loose any security or
cryptography strength, at all, right? The only problem is that issue
with challenge-response, right?
>You sound like you really, really, want to do this. I'm telling you
>it's a bad idea, but it's your key. You have to be happy with it.
>
>
*g* You make me insecure...
But you mean "bad idea" only because of the issues with backsigning, right?
btw: Wouldn't it just work to answer the challenge by signing with the
signing subkey? If someone would trust my primary key he should also
trust my secondary (because it is bound to the primary by the 0x18-sig),
or am I wrong?
Best wishes,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cam.vcf
Type: text/x-vcard
Size: 449 bytes
Desc: not available
Url : /pipermail/attachments/20051129/79e866f5/cam.vcf
More information about the Gnupg-users
mailing list