Which signing key should I use for certifying other peoples public keys: master or subkey?
The four possible key "usages" are
- Certification: signing other keys
- Signing: signing data
- Encryption: decrypting data
- Authentication: signing authentication tokens
When you look at your key using --edit-key
, you find the usage listed behind each key and subkey. By default, all that are supported by the key type are attached to the master key (so, RSA defaults to CSEA
, DSA defaults to CSA
as DSA keys should not be used for encryption). There are special key types that are more limited than their algorithm (e.g. "RSA (sign only)" that supports only CSA
).
When creating a subkey, a key usage is assigned to it in the signature binding the subkey to the master key; this delegates this functionality to the subkey, which also becomes the default key for the respective operation, while the key usage is hidden from the master key.
Certification cannot be delegated to a subkey, so you will always need your master key to sign another key.
Signing can be delegated, and the newest valid key with a Signing delegation is automatically used for signing, unless another is forced by specifying the key to use with an exclamation mark in front.
Encryption can also be delegated, and the newest valid key with an Encryption delegation is automatically selected on the sender's side, unless another is forced with an exclamation mark.
The general practice is that the master key is used for signing other keys. See, for example, the exceptions under "Why?" for Using OpenPGP subkeys in Debian development. I'm not aware of any system that creates a subkey for this purpose, and in my experience public key software isn't all that flexible a beast.
As opinion only, I suggest the following two rationales:
- As you say, signing is an activity taken place on a trusted system and with minimal interaction with outside data. The risk level does not justify creation of a separate subkey which might have a shorter life and whose cycling would trigger a systemic re-trust exercise.
- The master key can be thought of as the corporation, the subkeys are the "doing business as" identities. The latter derive their authority from the former, but the master key is the authority. Signing other keys is by definition an authoritative action, and is most appropriate for the master key and not a subkey.