The best practice of master/sub key capabilities
Simon Josefsson
simon at josefsson.org
Sat Aug 22 00:12:02 CEST 2015
Dongsheng Song <dongsheng.song at gmail.com> writes:
> Hi all,
>
> When I create new master/sub key, in the following 2 choice, I'm
> wondering which is better?
>
> 1) master key have SCEA capabilities
>
> sec rsa4096/A19676A1
> created: 2015-08-20 expires: never usage: SCEA
> trust: ultimate validity: ultimate
> ssb rsa4096/27ADD750
> created: 2015-08-20 expires: never usage: SEA
>
> 2) master key have only Certify capability
>
> sec rsa4096/1F8AFCAD
> created: 2015-08-20 expires: never usage: C
> trust: ultimate validity: ultimate
> ssb rsa4096/8E1D2A87
> created: 2015-08-20 expires: never usage: SEA
I would use a SC master key because I would want to use it to certify
other's keys, and would also be able to use it to sign statements in
case something bad happened to my sub-keys.
I would use three separate sub-keys, one each for the three SEA usages.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20150822/98dedb76/attachment.sig>
More information about the Gnupg-users
mailing list