using subkey signatures
David Shaw
dshaw@jabberwocky.com
Tue Sep 3 14:01:01 2002
On Tue, Sep 03, 2002 at 09:10:51AM +0200, Werner Koch wrote:
> On Mon, 2 Sep 2002 16:54:43 -0400 (EDT), V Alex Brennen said:
>
> > I've never found myself in the position of needing to search for a
> > public subkey. If you where to deploy PGP in a way in which you
>
> You need to search for it if the signature was made by a subkey.
>
> This is actually a very good security measure because you would be
> able to take the primary secret key offline and only keep a signing
> and an encryption subkey online (cf. gpg --export-secret-subkeys).
> The advantage of this scheme is that only the subkeys can be remotely
> compromised and you can very easy revoke them and create new subkeys
> because you still own an uncompromised primary key on some box not
> connected to the net.
>
> I'd really like to use this but as long as PGP can't verify something
> signed by a subkey it is not very practicable.
I have (unofficial, of course, but still interesting) mail indicating
that PGP 8 will properly verify signatures made by a subkey when it
comes out later this year.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson