2

Most of the public keys I am getting from friends have a sub key in addition to the pub key. For educational purposes I retrieved some public keys and came across this Linus Torvalds' key that does not have a sub-key.

pub   1024D/956EB7BF449FA3AB 1999-10-05 [expired: 2001-10-04]
uid               [ expired] Linus Torvalds <torvalds@transmeta.com>

Apparently this key is distributed without a sub key. My own public key looks like this (anonymized for posting purposes).

pub   4096R/96Q1DUTLHW3NHA97 2014-10-27 [expires: 2015-03-11]
uid               [ unknown] First Name Last Name <first.last@provider.org>
sub   4096R/96Q1DUTLHW3NHA96 2014-10-27 [expires: 2015-03-11]

Why would people distribute their public key with a sub-key and what are the advantages of doing that or not doing that?

Eric Fail
  • 121
  • 4
  • 1
    Maybe 15 years ago Linus and/or the program he used wasn't perfect? If you check the keyserver (at least subkeys.pgp.net which my gpg uses) you should find 76E21CBB torvalds@osdl.org from 2005 and 00411886 torvalds@linux-foundation.org from 2011 each with subkey for encryption. – dave_thompson_085 Oct 30 '14 at 16:19
  • @dave_thompson_085, thank you for your response to my question. My question is specifically about Torvalds' old key, but why most people share several keys with those specific features (i.e. a sub-key for encryption and a public key for signing and for creating a certificates). – Eric Fail Nov 03 '14 at 13:13

2 Answers2

3

Advantage of Using Subkeys

Using subkeys has the main advantage that in case you have to revoke them, you're not losing all reputation in the web of trust do not have to exchange new keys with other participants you're communicating with.

For example, if you stored your subkeys (and your public primary key, not your secret primary key!) on a mobile phone which you lost, you can easily revoke this subkeys and create a new key pair; all others just have to fetch your updated primary key to get aware of them (and possibly don't even realize).

If you had put your primary key on your mobile, you had to issue a completely new set of keys, get everybody aware of them and start again in the web of trust (having all certifications lost).

Algorithm Choice

Another reason for subkey usage are algorithmic limitations. While RSA can be used for both signing (certifying) and encrypting, and you don't have to use subkeys for encryption, some algorithms are only capable of one of those. For example, DSA (Digital Signature Algorithm) can only be used to issue signatures and requires another algorithm for encryption, usually ElGamal is used here (which again cannot be used for signing).

Further Information

At least GnuPG automatically creates subkeys

In generally recommend reading Debian's discussion of subkeys, I also answered a slightly related question. Finally, have a look at the offline key section of this answer.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • Thank you for your careful response, it's a good explanation of the relationship between the primary key and sub-keys. I also read Debian's discussion of sub-keys and your related answer. I realize that my question might not have been specific enough. What I'm puzzled by is why I should share more than one public key. The way Torvalds' public key is shared seems to me to be enough (as illustrated in my original question above, `956EB7BF449FA3AB`). What I don't understand is; why would anyone be interested to share a sub-key in addition to the public key? Most people seem to be doing this. – Eric Fail Oct 29 '14 at 19:15
  • Because (1) some algorithms might require it, and (2) it reduces the hassle of revoking keys if necessary. Most people will stick with one single active subkey pair for signing and encryption, and only use the primary key for certification and key management. Usually, people exchange their subkeys all few years, but stick a longer time with their primary key. – Jens Erat Oct 29 '14 at 21:52
1

Usually when generating keyrings the program will generate both an encryption key and a signature key in the public keyring. If you run gpg --edit-key KEYID it will probably show usage: SC and usage: E for your key and subkey respectively.

Tim Lamballais
  • 282
  • 1
  • 4
  • Thank you for responding to my question. I didn't know about these `usage:` categories. I looked at the usage for the keys listed in my example and Torvalds' `449FA3AB` has the `E` flag. While my keys `HW3NHA97` and `HW3NHA96` has the usage flags `SC` and `E` respectively. In some ways this only puzzles me further. Why would I publish a public key with the `SC` usage (if I understand it correct this key, the `SC` key, can be used for signing and for creating a certificates)? (@JensErat ) – Eric Fail Oct 29 '14 at 19:53
  • Generally speaking you'll want to both sign *and* encrypt your messages, hence the default behaviour of generating a signing key and encryption when running `gpg --gen-key`. – Tim Lamballais Oct 30 '14 at 10:07
  • This might also provide some extra insight: http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig – Tim Lamballais Oct 31 '14 at 15:32
  • I understand that I want to sign and encrypt messages, but why would the recipient need the `SC` key? Maybe a use-scenario, or a tutorial, is spelled out somewhere (I did read the question you linked to, thanks). – Eric Fail Nov 03 '14 at 13:20
  • How do you propose the recipient of a message verify your signature without access to your public signing key? Just to be clear, signing/signature verification also works with an asymmetrical private/public keypair. – Tim Lamballais Nov 03 '14 at 16:05
  • Tim, thank you for clarifying. Now I see why I would have the `E` flag and the `S` flag, makes sense (now I only need to make sense of the `C`/_ good for certifying other signatures). – Eric Fail Nov 03 '14 at 17:08