master key certify capability
Konstantin Ryabitsev
konstantin at linuxfoundation.org
Fri Jan 3 21:18:22 CET 2020
On Fri, Jan 03, 2020 at 07:06:42PM +0100, john doe wrote:
> $ gpg -K
>
> -----------------------------
> sec rsa4096 2020-01-03 [C] [expires: 2020-01-04]
> 3C5CFD620005347A62052A6B596CB80D30E8829D
> uid [ultimate] Firstname Lastname <test at example.com>
> ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
> ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
> ssb rsa4096 2020-01-03 [E] [expires: 2020-01-04]
>
>
> Is there any downside to have my master key with the certify capability
> only?
None.
> In other words, is it required for the master key to have the sign and
> certify capabilities.
It's not, and having a separate S subkey allows you to remove your
certify key to offline storage for better safekeeping (e.g. see
https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md#moving-your-master-key-to-offline-storage)
Regards,
-K
More information about the Gnupg-users
mailing list