Why a subkey?

Mike - EMAIL IGNORED m_d_berger_1900 at yahoo.com
Sat Feb 24 20:18:18 CET 2007


On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
>> On FC4 with gpg 1.4.1:
> 
> Please upgrade.  There have been a couple of security updates since  
> 1.4.1.
> 
>> It says the key cannot be used for encryption, and a
>> subkey must be generated. Why?
> 
> Why must an encryption subkey be generated?  Because you don't have  
> one.  If you mean "why doesn't GnuPG create an encryption subkey at  
> the same time it creates a signing subkey, the way it does for DSS/ 
> ElGamal keypairs", for that one you'd have to ask the developers.   
> It's never made a lick of sense to me, myself.
> 
>> If so, why was (sign and encrypt) not offered as an option?
> 
> Having one key that can be used for both signing and encryption  
> operations is thought by some to be bad crypto policy.  The problems  
> with it appear to be mostly theoretical, though.
> 
>> I did this a year or two ago, and I do not remember
>> needing a subkey.  I still have that keyring in
>> under another user.
> 
> If your other key was DSS/ElGamal, that's because GnuPG created the  
> additional subkey for you at the same time as your signing subkey.  :)
> 
> 
[...]

Now I created a key using "DSA and Elgamal (default)".  As you
suggest, it created a subkey for me, as can be seen in gpg --list-keys.

If I run gpg --list-keys on my old keyring, I see no subkeys in the
old keys (Apr 2006), but there is a subkey in the public key imported
from the new user account.  Has there been a change?  Are my old
keys obsolete?  I don't remember if I upgraded gpg in the interim
(present version 1.4.1), but I will upgrade, as you suggest.

Thanks,
Mike.







More information about the Gnupg-users mailing list