A few newbie questions, I'am doing this right?

MFPA expires2012 at rocketmail.com
Tue Dec 18 00:37:33 CET 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 16 December 2012 at 5:03:42 AM, in
<mid:7064600.aJxIxBHWNB at inno>, Hauke Laging wrote:


> With a compromised mainkey it
> shouldn't be a problem to create a certificate with a
> modified capability set anyway.

Yes, I didn't think that through properly.


MFPA:
>> There is no real limitation here. If a need arose for
>> "higher security" signing or encryption keys, new
>> subkeys with those capabilities could be created and
>> circulated, and the secret subkeys stored offline just
>> like the main key.

> That's right but makes the whole thing even more
> complicated – without explaining what the advantage
> should be.

I disagree. What you see as added complication, I see as
simplification. Most keys having a single use but one having several
uses is more complicated to me than each key having a single use.



> And complicated is bad as  understanding is
> critical to the practical value of crypto.

Agreed.



> Once unlocked the
> OpenPGP card does as many decryptions as you want. I do
> not see any reason for that.

Convenience. (Which is often the opposite of security.)



> I would not call such
> a "depricated" name "invalid". The person can still be
> identified by the old name.

They can, and some people routinely are (such as solicitors who use
their former name for work and their current name for non-work
matters). But hanging on to the old identity whilst also taking up the
new one sends mixed messages and seems like a contradiction.



> In that case it makes sense IMHO only if the
> certification procedure (for the "real" key) is
> somewhat complicated because the key owner follows a
> good certification policy.

It means a lapse in competence, such as accidentally exporting your
local signatures, does not compromise your good certification policy.



- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

Wait. You think I'm right?
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUM+s2qipC46tDG5pAQrrFAQAsm4aNNztmgSyd/LtszsJ6tnkCoR20rDQ
w+XqivqaMQtJLBFqAwDIQItoxEAnCpBGoTb6fYo9hQ/sv3WZ25mqwMXd0WifW0G6
IpFkiT0GhO93aKlIXs12OMTrmQiJ7LfQZWVR5trVao7z7RVQanTcaLmnz7bMzG/e
j14QU8Ixwlw=
=wsyt
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list