Good evening,
I've got a question about the concept of PGP.
I thought I understood everything:
A private keypair contains 2 keys, a DSA-key and a ElGamal-Key.
The ElGamal-Key decrypts, the DSA-key encrypts. Nobody else than me should have access to the DSA-key.
But then I read the GnuPG manual section about subkeys that says:
Quote:
http://www.gnupg.org/gph/en/manual.html#AEN526
Selecting expiration dates and using subkeys
By default, a DSA master signing key and an ElGamal encryption subkey are generated when you create a new keypair. This is convenient, because the roles of the two keys are different, and you may therefore want the keys to have different lifetimes. The master signing key is used to make digital signatures, and it also collects the signatures of others who have confirmed your identity. The encryption key is used only for decrypting encrypted documents sent to you. Typically, a digital signature has a long lifetime, e.g., forever, and you also do not want to lose the signatures on your key that you worked hard to collect. On the other hand, the encryption subkey may be changed periodically for extra security, since if an encryption key is broken, the attacker can read all documents encrypted to that key both in the future and from the past.
|
So, does that mean, that the DSA master signing key, which seems to be the private key is signed, which would mean that it has to be given away?
And that means, that with the help of the DSA master key, I can generate a ElGamal Key with limited livetime and not publish the primary ElGamal Key that had been created? Or, in my case, revoking the primary ElGamal Key, because I want to have a limited subkey.
Please tell me how to manage having subkeys.
greethings, joe
