Key version games (was Re: problem with exporting subkeys)

David Shaw dshaw at
Thu Feb 28 14:55:01 CET 2002

On Thu, Feb 28, 2002 at 12:50:05PM +0200, disastry at wrote:

> David Shaw dshaw at wrote:
> > > Second question: why GPG chokes on it?
> > 
> > Judging from the listing you posted, it seems you did
> > --export-secret-subkeys on a v3 key (mixed in with your v4 keys).  V3
> > keys do not work with --export-secret-subkeys, and in fact cause the
> > resulting file to be unusable.
> > 
> > I just committed a fix which makes --export-secret-subkeys ignore v3
> > keys.
> > David
> note that v3 keys also can have subkeys. OpenPGP does not forbid it.
> I have even seen v3 keys with subkeys.

Are you sure?  Section 10.1 ("Transferable Public Keys") says:

  However, any V4 key may have subkeys, and the subkeys may be
  encryption-only keys, signature-only keys, or general-purpose keys.

That doesn't exactly forbid it, true, but also section 11.1 ("Key
structures") does not show subkeys at all in the v3 allowable format
which is a stronger statement.

We should construct such a key and see if any programs break with it.
Where did you see it?

Speaking of key versions - I spent some time looking at what versions
were permitted with what a while ago and one thing that does seem to
be explicitly permitted is v4 keys with v3 subkeys.  I did test this
and PGP supports it (though this may be accidental support).  GnuPG
1.0.6 only partially supports it, but I fixed that in 1.0.7.

Florian, this can give you the unchangeable expiration date that you
wanted, if you're willing to accept the restrictions (RSA only, etc.)
on v3 keys :)


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list