For a long time I’ve had “get my cryptographic house in order” on the ol' to-do list. Relying on one key for all security domains has never sat all that well with me, but addressing this has been delayed by my need to do things “properly.” I figured subkeys were the “proper” way to address this issue, and so I kept putting it off until I had enough time to devote to understanding them.
In short, subkeys make a simple idea complicated. All I want are hierarchical keys, but there’s a whole new set of caveats and workflows to learn in order to do things “properly,” and for what? As far as I can tell, there is no discernable advantage to using subkeys as conceptualized by GPG rather than issuing a root public key, and then issuing separate keys signed by the root key. In fact, subkeys apparently introduce unintuitive “gotchas” such as:
One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising.
But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys.
I don’t want two sets of logic, one for keys and one for subkeys. I just want to sign and encrypt things! Subkeys seem to occlude what should be transparent.
So this is what I’ve done: I will no longer be using my old root key, with its automatically-attached subkeys. My new “root” key can only sign things. It will be only used for signing statements about the validity of other keys, and perhaps in a web-of-trust setting at some point.
My new root key is both signed by my old root key, and also referenced in a statement clearsigned by my old root key. (If you don’t have my old root key already, don’t worry about it.)
I’m also issuing a new PGP key for general use. It’s signed by my new root key, and also referenced in a clearsigned statement.
If you want to contact me, use my “ryepdx’s laptop” key.
If you receive a signed statement about a new key, check it against my “root” key.
I will append new keys and statements to this blog post as needed.