Standards and PGP wraper

John A. Martin jam at
Wed Nov 11 10:14:37 CET 1998

>>>>> "dp" == David Pick
>>>>> "Re: Standards and PGP wraper "
>>>>>  Wed, 11 Nov 1998 11:13:53 +0000

    >> >>>>> "dp1" == David Pick "Re: Standards and PGP wraper "
    >> >>>>>  Tue, 10 Nov 1998 18:37:41 +0000
    dp1> It's just that I happen to feel that in many ways digital
    dp1> signatures are more important than the basic encryption,
    dp1> certainly if they become accepted (as I expect they will) as
    dp1> legally equivalent to traditional hand-written signatures
    dp1> sometime in the not-so-distant future.
    >> Is there a problem with using a sign-only key for normal
    >> signatures and using the signing key of a sign-and-encrypt pair
    >> only in conjunction with encrypting?

    dp> I'm not sure I understand you here. What do you mean by "using
    dp> the signing key of a sign-and-encrypt pair only in conjunction
    dp> with encrypting"? Surely, when encrypting you'd use the
    dp> encryption key of the sign-and-encrypt pair and not touch the
    dp> signing key. (If by sign-and-encrypt-pair you mean a sign-only
    dp> key and an encrypt- only subkey.)

I mean to do signing alone with a sign-only key and use the sign part
of the sign+encrypt combo when doing sign and encrypt.

Isn't the motivation of signature-only keys served this way?

    dp> Certainly it's possible to set up two top-level keys and use
    dp> one (probably sign-only) for signing, and the other (just
    dp> possibly encrypt-only) for encryption (and decryption!).

    dp> But it's a lot less convenient because they look like two
    dp> different keys to things like keyservers, import and export
    dp> operations, and the like. And that can lead to confusions
    dp> especially with less experienced users of PGP or GnuPG, they
    dp> mightend up with only one of my keys on their keyring because
    dp> they don't realise there's two of them.

    dp> And it also probably forces me to tell my mailer that I always
    dp> want to select the key to use for any operation because it
    dp> won't have the ability to set *two* different keys as the
    dp> defaults for the two different types of operation.

Teach your mailer new tricks.  Easy for Emacs mailers.  :-)

I see a number of people with sign-only keys apart from their
sign+encrypt keys on the servers.

A single one size fits all key seems to be a thing of the past.

I agree it is inconvenient.

Almost as inconvenient as having to continue with a separate pgp2
capability (in the US).


More information about the Gnupg-devel mailing list