Key version games (was Re: problem with exporting subkeys)
David Shaw
dshaw@jabberwocky.com
Thu Feb 28 20:16:01 2002
On Thu, Feb 28, 2002 at 08:52:50PM +0200, disastry@saiknes.lv wrote:
> > We should construct such a key and see if any programs break with it.
> > Where did you see it?
>
> I have one on my keyring, I put it on web page at
> http://disastry.dhs.org/pgp/testkeys/testv3withsubkey.asc
>
> I don't remember from where I got this key, but I don't think
> that I generated it myself, because it have passphrase "test"
> (all may test keys have passphrase "a" or "12345678" :) )
>
> but I also remember seen real (not test) key belonging to some person.
> I can't find it... it was RSAv3 key with Elgamal subkey.
>
> GPG allows (maybe it does not allow now, but at least
> older versions allowed) to add subkeys to v3 keys.
It still allows you, but it prints a warning "creating subkeys for v3
keys is not OpenPGP compliant". It may have warned before too.
> > Speaking of key versions - I spent some time looking at what versions
> > were permitted with what a while ago and one thing that does seem to
> > be explicitly permitted is v4 keys with v3 subkeys. I did test this
> > and PGP supports it (though this may be accidental support). GnuPG
> > 1.0.6 only partially supports it, but I fixed that in 1.0.7.
> >
> > Florian, this can give you the unchangeable expiration date that you
> > wanted, if you're willing to accept the restrictions (RSA only, etc.)
> > on v3 keys :)
>
> btw, v3 subkeys are (seems to be) allowed too,
> section 5.5.2. Public Key Packet Formats
> "A version 3 public key or public subkey packet contains:"
That's what I just said - one paragraph up. I can't see any really
good use for it except that v3 (sub)keys have a fixed expiration date
that cannot be changed in the binding self-sig. That's why I thought
Florian would be interested, since he wanted that feature.
I suppose it would be handy for someone who had a lot of v3 keys to
gather them together into one key, but that really doesn't give you
anything useful.
> some time ago I did some experiments - added key to other key as subkey,
> and converted subkey to key :) it worked.
Yes. I tried that once as well. I was thinking it would be an
interesting solution for wanting a signing subkey, but since PGP
couldn't verify a signature from a signing subkey, I made my signing
subkey into a regular v4 key for PGP folks. :)
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson