More than one time I read recommendations to use the primary key-pair in my OpenPGP certificate only to sign sub-key-pairs and not for general daily use (even to keep the private key stored on a non-network-enabled PC for additional security). I recently noticed that each key-pair in my certificate has flags which define for what purpose it must be used exclusively. As far as I understand currently (having trouble finding documentation), the process of signing sub-key-pairs would be depicted by A
(for authentication).
In my newly generated certificate, my primary key-pair has the usage flags SC
(signature and certification). Now it is quite easy to change these flags for sub-keys with the GnuPG command line tool, but I cannot find any way to modify the usage flags for the primary key-pair.
What I would like to be able to do, is to limit the primary key-pair to only be able to sign and revoke additional sub-key-pairs in my certificate. Can anyone tell me if this is possible and how to do it?
Best Answer
You'd need the usage flag certify
C
, which is required by the OpenPGP specifications anyway. AuthenticationA
is rarely used and means you can authenticate yourself (similar to SSH key based authentication).Yet it is not possible to change the usage flags in GnuPG (but by hacking the code). From a message by Resul Cetin on that mailing list thread: