Why use an OpenPGP authentication-capable subkey instead of just marking my OpenPGP primary key to be authentication-capable?
There are many reasons. Most importantly for the Monkeysphere, gpg refuses to emit the secret key material for a primary key in cleartext form, but it is willing to emit a subkey in cleartext, provided you give it the right password and tickle it with the right options. monkeysphere subkey-to-ssh-agent knows how to do this (prompting the user for the password), and then can transform this into an OpenSSH-formatted key, which can then be handed to the agent. So if you were to use your primary key, you would have to find a way to make it usable by ssh, because we do not have a way to have direct access to the primary key. Another good reason to create a new authentication-capable subkey instead of marking your primary key authentication-capable is just to avoid tampering with your primary key. Also, using a subkey makes it easier to put your primary key (the most sensitive bit of an OpenPGP key) in offline storage, brought out only for special uses (like adding a subkey, or following up
