My PGP primary key is only used for certification—I use a separate subkey for signing. Like this:
sec rsa4096/0x891781D0EDC66456 created: 2021-09-04 expires: never usage: C trust: ultimate validity: ultimate ssb rsa4096/0x14CF79D2D5917737 created: 2021-09-04 expires: 2023-09-04 usage: S ssb rsa4096/0x0041701689E0A409 created: 2021-09-04 expires: 2023-09-04 usage: E (ultimate) (1). test user <firstname.lastname@example.org>
I noticed that the OpenPGP card spec only supports three key slots: one for signing, one for encryption, and one for authentication. There is no slot dedicated to certification. However, the
keytocard command permits moving the signing subkey to the authentication slot, and moving the certification key to the signature slot.
My question: Are there any downsides to moving the keys to the card (YubiKey) as follows:
- certification (primary) key to the signature slot
- signing subkey to the authentication slot
- encryption subkey to the encryption slot
In particular: Will I still be able to use the signing subkey for signing even though it’s in the authentication slot? I generated some throwaway keys and it seemed to work, but I wanted confirmation that it was OK.
The YubiKey will mostly be in cold storage, used only for the occasional certification operations (e.g., extending subkey expiration) and as a backup if I lose my main YubiKey.