On Fri, 25 May 2018 12:26:54 +0200,
Leo Gaspard wrote:
Another use case supporting this opinion: certification subkeys are also
a way to increase the security of an offline OpenPGP key, as with them
it becomes possible to put the master key behind a diode while still
being able to certify keys, and only ever move data out:
FWIW, this workflow does not require certification subkeys. You can
instead create two keys, an offline key and an online
certification-only key. Then, you *t*sign the certification key using
the offline key. This means that anyone who adds your offline key as
a trusted introducer will automatically trust your online
certification key. Check out Section 6.3.12 of the following text for
more details:
https://gnupg.org/ftp/people/neal/an-advanced-introduction-to-gnupg/an-advanced-introduction-to-gnupg.pdf
:) Neal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp