Cannot sign keys without offline secret key

[wsargent]

If you are creating new GPG key for a Yubikey Nano, you need to have the master key available. You cannot sign with the "signing" or "authentication" key.

This means in the guide, if you've got hold of a new Yubikey, you need to have the secret key material for both keys available in order to bring the new GPG key and Yubikey fully online.

Per http://forum.yubico.com/viewtopic.php?p=8911&sid=f0304ff17fcd6863f7ee3db99a8bd7dc#p8911

[b]EDIT: Final note: only a key with the C(ertification) usage can be used to sign keys (including the signature required to extend the expiry or add new subkeys), and per RFC 4880, only the master key should be permitted to Certify. This means that you will need to use the backup in order to perform those actions or sign other people's keys. This is feasible because, in general, these activities are relatively rare. A more secure setup would involve the use of a second token (such as yubikey) in which you store the master key, so that your master is not exposed when you need to use it (in theory it would take destructive methods and probably a SEM to extract the secret key from the secure module, and let's be honest, that means your adversary is a government, in which case they've got far more effective methods of getting you to turn it over, and you've got far bigger problems than losing your keys).

[drduh]

I think this is pretty clear in the guide now. If not, let me know and I'll clarify.