Subject: Re: wanted: educate us please on key dongles
On Fri, 11 Aug 2017, Jonathan McDowell wrote:
> On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote:
> > On Fri, Aug 11 2017, Jonathan McDowell wrote:
> > > * If you don't want to buy hardware, use an offline master
> > > key. Create
> > > a certification only master key using something like PGP Clean Room
> > > on a non-networked host [...]
> > By default, GnuPG creates a signing+certification master key. Could you
> > explain why it's a good idea to override that? I'm not sure what it
> > achieves.
> I see no reason why the master key should ever be used for signatures in
> such a scenario, so it seems sensible to indicate that it is purely for
Well, it can be useful. A SC master key (Sign and Certify) can be used
to sign messages explaining to someone else the need for a new subkey
when you had to revoke every subkey, when just adding the subkey itself
is not enough, or when adding subkeys is subject to a delay.
Suppose you forget to renew/upload a new subkey in your Debian key set,
and the current subkeys expire: it takes time for a new subkey upload to
clear keyring maint. During that time, an SC master key can be used in
an emergency to sign a vote or an upload.