controlling the use of subkeys
Mike Frysinger
vapier at gentoo.org
Sat Dec 23 20:59:31 CET 2006
On Saturday 23 December 2006 14:51, Robert J. Hansen wrote:
> Mike Frysinger wrote:
> > i do signing of Gentoo packages and historically i would just
> > generate a new key and sign that with my normal public one ... when
> > the last one expired, i decided to try and use subkeys
>
> This may be bad policy on your part. The average Gentoo user is not
> going to be an expert on cryptography or the OpenPGP protocol. Keeping
> things as simple as possible for them is probably better than getting
> clever with subkeys, especially since there are some interesting edge
> cases there.
the average Gentoo user isnt going to ever care or even notice ... the signing
aspects are all handled by portage
user does `emerge pkg` and emerge goes and validates all of the keys
> > so my main key i get everyone to sign is E837F581 and i use that when
> > signing my e-mails ... i created a new subkey just for signing
> > Gentoo packages and that is 205D3103
>
> Generally speaking, people don't sign keys; they sign user IDs.
sorry, yes ... they've been signing my Gentoo uid
> > ... now when i sign e-mails or files, my main key is no longer used,
> > just my subkey ... how can i control this behavior ?
>
> Use the "!" symbol to explicitly specify a subkey. E.g.,
thanks
> I would suggest rethinking your strategy, however.
and what would you suggest ? create brand new key sets when the previous one
expires ? i thought one of the points of subkeys is to minimize this sort of
management
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20061223/6977bed6/attachment-0001.pgp
More information about the Gnupg-users
mailing list