Dear Tom,
It will be quite a long text and there is no urgency in answering but your help and clearification would be highly appreciated.
I have been using PGP-WDE for years now (both Win and Mac with passphrases) and only recently start using PGP regulary for signing and encrypting emails.
I got a bit confused with the feature of adding separate subkeys and in particular how a keyring/keypair/public key is composed of, and how the terminology is correctly used.
I created a new PGP key (“testkey”) and exported/reimported it with or without private key and checked the key properties.
First the problem with terminology:
On page 60 in the user manual is stated:
A PGP Desktop keypair consists of these elements:
• the Master Key, for signing only;
• one mandatory Subkey for encryption;
• one or more optional Separate Subkey(s) for signing, encryption, or signing/encryption.
If I look at the key properties of the private key, following IDs can be found:
Masterkey (?): 0x937F5352 (ID immediately below the email of the key)
encryption subkey: 0xCC8E8E63
signing subkey: 0xE4A0AA42
Per definition this should be a Private Key, but actually it looks that its is a Keypair consisting of private and public key (?) – if I open the private key with TextEdit both parts of private and public key block can be found.
+) First Question: is the “private key” actually always a keypair consisting of private and public key or is it possible to obtain the private key separately only?
+) Second Question: is the Masterkey also for decryption? Searching the whole manual I could not find which part of the key is actually responsible for decryption (only the Masterkey is described as “for signing only” but no word about decryption)
I checked the features of the public key and surprisingly all subkeys can be found there again (for signing and encryption), however a public key is not for signing (?)
+) third Question (related to the first question): are all (sub)keys of the public key actually existing but only the subkey for encryption is active or is simple the private/public key concept a mathematical connected “mirror-sandwich” of the masterkey+subkeys where one half serves as public key and both halfes together as “private key” ?
Should therefore be the very correct terminology: public key and private keypair (where then the “private key” performs signing + decryption)?
I encrypted a file with the testkey:
If I remove both subkeys PGP states “by removing all subkeys encryption to this key will be disabled”, so I assumed only the features of signing+decryption are left, however PGP will not decrypt the file to an “unknown” key, which is understandable as I deleted the subkey responsible for encryption but also signing of a file with this key is not working (it does not appear in the list of private keys for signing). However under “keys” the private key without subkeys still is called “keypair” , trust was set to implicit. So therefore in addition to the statements in the usermanual I am asking the
+) fourth question: what are the minimal features/composition for a PGP key?
I understood from the descriptions that the advantage of adding subkeys is the possibility to exchange them in case the private key becomes compromised as only the masterkey is signed by other users, so the public PGP key keeps its ID with the signatures from other users -– correct?
Any short answers would be very helpful (simply inline)
Thanks a lot for your time,
kind regards,
Stork