1 files changed, 63 insertions, 27 deletions

diff --git a/README.md b/README.md
index 6fc9672..9a32316 100644
--- a/README.md
+++ b/README.md
@@ -219,17 +219,53 @@ $ gpg --gen-random -a 0 24
 ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
 ```
 
-Generate a new key with GPG, selecting `(4) RSA (sign only)` and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes).
+Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify`-only and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes).
 
 ```console
-$ gpg --full-generate-key
+$ gpg --expert --full-generate-key
 
 Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
-Your selection? 4
+   (7) DSA (set your own capabilities)
+   (8) RSA (set your own capabilities)
+   (9) ECC and ECC
+  (10) ECC (sign only)
+  (11) ECC (set your own capabilities)
+  (13) Existing key
+Your selection? 8
+
+Possible actions for a RSA key: Sign Certify Encrypt Authenticate
+Current allowed actions: Sign Certify Encrypt
+
+   (S) Toggle the sign capability
+   (E) Toggle the encrypt capability
+   (A) Toggle the authenticate capability
+   (Q) Finished
+
+Your selection? e
+
+Possible actions for a RSA key: Sign Certify Encrypt Authenticate
+Current allowed actions: Sign Certify
+
+   (S) Toggle the sign capability
+   (E) Toggle the encrypt capability
+   (A) Toggle the authenticate capability
+   (Q) Finished
+
+Your selection? s
+
+Possible actions for a RSA key: Sign Certify Encrypt Authenticate
+Current allowed actions: Certify
+
+   (S) Toggle the sign capability
+   (E) Toggle the encrypt capability
+   (A) Toggle the authenticate capability
+   (Q) Finished
+
+Your selection? q
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 4096
 Requested keysize is 4096 bits
@@ -265,7 +301,7 @@ public and secret key created and signed.
 
 Note that this key cannot be used for encryption.  You may want to use
 the command "--edit-key" to generate a subkey for this purpose.
-pub   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
+pub   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
       Key fingerprint = 011C E16B D45B 27A5 5BA8  776D FF3E 7D88 647E BCDB
 uid                              Dr Duh <doc@duh.to>
 ```
@@ -288,7 +324,7 @@ $ gpg --expert --edit-key $KEYID
 Secret key is available.
 
 sec  rsa4096/0xEA5DE91459B80592
-    created: 2017-10-09  expires: never       usage: SC  
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 [ultimate] (1). Dr Duh <doc@duh.to>
 ```
@@ -336,10 +372,10 @@ disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC  
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
-    created: 2017-10-09  expires: 2018-10-09       usage: S   
+    created: 2017-10-09  expires: 2018-10-09       usage: S
 [ultimate] (1). Dr Duh <doc@duh.to>
 ```
 
@@ -380,12 +416,12 @@ disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC  
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
-    created: 2017-10-09  expires: 2018-10-09       usage: S   
+    created: 2017-10-09  expires: 2018-10-09       usage: S
 ssb  rsa4096/0x5912A795E90DD2CF
-    created: 2017-10-09  expires: 2018-10-09       usage: E   
+    created: 2017-10-09  expires: 2018-10-09       usage: E
 [ultimate] (1). Dr Duh <doc@duh.to>
 ```
 
@@ -468,14 +504,14 @@ disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC  
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
-    created: 2017-10-09  expires: 2018-10-09       usage: S   
+    created: 2017-10-09  expires: 2018-10-09       usage: S
 ssb  rsa4096/0x5912A795E90DD2CF
-    created: 2017-10-09  expires: 2018-10-09       usage: E   
+    created: 2017-10-09  expires: 2018-10-09       usage: E
 ssb  rsa4096/0x3F29127E79649A3D
-    created: 2017-10-09  expires: 2018-10-09       usage: A   
+    created: 2017-10-09  expires: 2018-10-09       usage: A
 [ultimate] (1). Dr Duh <doc@duh.to>
 
 gpg> save
@@ -489,7 +525,7 @@ List the generated secret keys and verify the output:
 $ gpg --list-secret-keys
 /tmp.FLZC0xcM/pubring.kbx
 -------------------------------------------------------------------------
-sec   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
+sec   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
       Key fingerprint = 011C E16B D45B 27A5 5BA8  776D FF3E 7D88 647E BCDB
 uid                            Dr Duh <doc@duh.to>
 ssb   rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
@@ -795,14 +831,14 @@ $ gpg --edit-key $KEYID
 Secret key is available.
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC  
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
-    created: 2017-10-09  expires: 2018-10-09  usage: S   
+    created: 2017-10-09  expires: 2018-10-09  usage: S
 ssb  rsa4096/0x5912A795E90DD2CF
-    created: 2017-10-09  expires: 2018-10-09  usage: E   
+    created: 2017-10-09  expires: 2018-10-09  usage: E
 ssb  rsa4096/0x3F29127E79649A3D
-    created: 2017-10-09  expires: 2018-10-09  usage: A   
+    created: 2017-10-09  expires: 2018-10-09  usage: A
 [ultimate] (1). Dr Duh <doc@duh.to>
 ```
 
@@ -814,7 +850,7 @@ Select and move the signature key. You will be prompted for the key passphrase a
 gpg> key 1
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb* rsa4096/0xBECFA3C1AE191D15
     created: 2017-10-09  expires: 2018-10-09  usage: S
@@ -845,7 +881,7 @@ gpg> key 1
 gpg> key 2
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
     created: 2017-10-09  expires: 2018-10-09  usage: S
@@ -873,7 +909,7 @@ gpg> key 2
 gpg> key 3
 
 sec  rsa4096/0xFF3E7D88647EBCDB
-    created: 2017-10-09  expires: never       usage: SC
+    created: 2017-10-09  expires: never       usage: C
     trust: ultimate      validity: ultimate
 ssb  rsa4096/0xBECFA3C1AE191D15
     created: 2017-10-09  expires: 2018-10-09  usage: S
@@ -899,7 +935,7 @@ Verify the subkeys have moved to YubiKey as indicated by `ssb>`:
 $ gpg --list-secret-keys
 /tmp.FLZC0xcM/pubring.kbx
 -------------------------------------------------------------------------
-sec   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
+sec   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
       Key fingerprint = 011C E16B D45B 27A5 5BA8  776D FF3E 7D88 647E BCDB
 uid                            Dr Duh <doc@duh.to>
 ssb>  rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
@@ -1021,7 +1057,7 @@ $ gpg --edit-key $KEYID
 Secret key is available.
 
 gpg> trust
-pub  4096R/0xFF3E7D88647EBCDB  created: 2016-05-24  expires: never       usage: SC
+pub  4096R/0xFF3E7D88647EBCDB  created: 2016-05-24  expires: never       usage: C
                                trust: unknown       validity: unknown
 sub  4096R/0xBECFA3C1AE191D15  created: 2017-10-09  expires: 2018-10-09  usage: S
 sub  4096R/0x5912A795E90DD2CF  created: 2017-10-09  expires: 2018-10-09  usage: E
@@ -1041,7 +1077,7 @@ Please decide how far you trust this user to correctly verify other users' keys
 Your decision? 5
 Do you really want to set this key to ultimate trust? (y/N) y
 
-pub  4096R/0xFF3E7D88647EBCDB  created: 2016-05-24  expires: never       usage: SC
+pub  4096R/0xFF3E7D88647EBCDB  created: 2016-05-24  expires: never       usage: C
                                trust: ultimate      validity: unknown
 sub  4096R/0xBECFA3C1AE191D15  created: 2017-10-09  expires: 2018-10-09  usage: S
 sub  4096R/0x5912A795E90DD2CF  created: 2017-10-09  expires: 2018-10-09  usage: E
@@ -1094,7 +1130,7 @@ ssb>  4096R/0x3F29127E79649A3D  created: 2017-10-09  expires: 2018-10-09
 # Encryption
 
 ```console
-$ echo "test message string" | gpg --encrypt --armor --recipient $KEYID 
+$ echo "test message string" | gpg --encrypt --armor --recipient $KEYID
 -----BEGIN PGP MESSAGE-----
 
 hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h
@@ -1399,7 +1435,7 @@ $ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
 * Finally, to enable agent forwarding for a given machine, add the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
 
 ```
-Host 
+Host
   Hostname your-domain
   ForwardAgent yes
   RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra