FSFE wiki card howto / subkeys

Discussion:

Daniel Pocock

2012-10-07 17:43:16 UTC

The how-to guides:

http://wiki.fsfe.org/Card_howtos

all steer people away from keeping the main key on a card. Yet some of
the coloured notes here:

http://www.gnupg.org/howtos/card-howto/en/ch05s02.html

suggest that may not be best practice today.

Can anyone comment on the state of play?

My understanding is that various possibilities exist, potentially with
multiple cards:

card 1:
- main RSA private key
- used for signing other keys
- kept in a safe at home

card 2:
- sub key
- signed by main key
- card that is kept in the wallet

Martin Gollowitzer

2012-10-09 15:34:31 UTC

Permalink

* Daniel Pocock <daniel at pocock.com.au> [121007 19:43,

Post by Daniel Pocock
Can anyone comment on the state of play?

I strongly suggest to use subkeys for your card and keep the main key
out of the keyring you are using on a daily basis. If you need to change
UIDs in your key or sign another key, you can still get your backup from
the Orcs and use it for these tasks. For everything else, using the card
with its subkeys is just find.

If you need to use your card on a computer not under your control, you
can just run the "fetch" command on the card and GnuPG will get your
public key from the URI saved on the card. You can then immediately use
the card on that machine. I consider this a great feature and it's
proven useful to me once in the past.

Just my ?0,02

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4052 bytes
Desc: not available
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20121009/21f1a033/attachment.bin>

Hugo Roy

2012-10-18 07:16:49 UTC

Permalink

Post by Martin Gollowitzer
If you need to use your card on a computer not under your control, you
can just run the "fetch" command on the card and GnuPG will get your
public key from the URI saved on the card. You can then immediately use
the card on that machine. I consider this a great feature and it's
proven useful to me once in the past.
Just my ?0,02

The fetch feature would be a nice addition to the wiki, if it isn't there already.

Thanks for the tip Martin,
Hugo

--
Hugo Roy
French Coordinator, FSFE chat: hugo at jabber.fsfe.org
www.fsfe.org/about/roy mobile: +336 08 74 13 41
mobile DE: +49 151 143 56 563

Martin Gollowitzer

2012-10-18 15:06:44 UTC

Permalink

* Hugo Roy <hugo at fsfe.org> [121018 09:17,

Post by Hugo Roy

The fetch feature would be a nice addition to the wiki, if it isn't there already.
Thanks for the tip Martin

De rien. Feel free to add this at a place in the page you'd consider
appropriate :-)

Martin
~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20121018/a9a948f0/attachment.pgp>

Hugo Roy

2013-01-07 09:12:48 UTC

Permalink

Post by Martin Gollowitzer
* Hugo Roy <hugo at fsfe.org> [121018 09:17,

Post by Hugo Roy

The fetch feature would be a nice addition to the wiki, if it isn't there already.
Thanks for the tip Martin

De rien. Feel free to add this at a place in the page you'd consider
appropriate :-)

I think I am going to try a new gpg setup. Mine is getting confusing
with all the subkeys etc. I think the howto could do better at
explaining how to manage keys.
--
Hugo Roy
French Coordinator, FSFE chat: hugo at jabber.fsfe.org
Support the FSFE, sign up ? mobile: +336 08 74 13 41
https://www.fsfe.org/support
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20130107/b27f258c/attachment.pgp>