using subkey signatures
Werner Koch
wk@gnupg.org
Tue Sep 3 09:07:02 2002
On Mon, 2 Sep 2002 16:54:43 -0400 (EDT), V Alex Brennen said:
> I've never found myself in the position of needing to search for a
> public subkey. If you where to deploy PGP in a way in which you
You need to search for it if the signature was made by a subkey.
This is actually a very good security measure because you would be
able to take the primary secret key offline and only keep a signing
and an encryption subkey online (cf. gpg --export-secret-subkeys).
The advantage of this scheme is that only the subkeys can be remotely
compromised and you can very easy revoke them and create new subkeys
because you still own an uncompromised primary key on some box not
connected to the net.
I'd really like to use this but as long as PGP can't verify something
signed by a subkey it is not very practicable.
Shalom-Salam,
Werner