using subkey signatures

V. Alex Brennen
Tue Sep 3 16:48:02 CEST 2002

On Mon, 2 Sep 2002, Jason Harris wrote:

> On Mon, Sep 02, 2002 at 03:49:33PM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> > On Mon, 2002-09-02 at 15:18, David Shaw wrote:
> > > This is a (HKP) keyserver limitation more than a GnuPG limitation.
> > > The LDAP keyservers do allow fetching by subkey ID.
> > 
> > Ok good to know. Is anything planned on the pks side? Or on the cks side
> > (it doesn't index subkey ids atm, it seems)? Or on the
> > side (doesn't neither, just now)? Just curious.

Yes, CKS does not provide for searching by subkey ids.  I don't understand
why you would want to search by subkey.

2440 identifies the primary public key as the signature key and subkeys 
as keys for encryption. The RFC goes so far as to tell people the whole 
reasoning behind the structure of the v4 key format is to get people to 
use different keys for signatures and encryptions. 

If you use a subkey for signatures in the way that I think you're 
describing, you're basically violating this best practice to no
benefit of your own.  I hate to provide functionality in the
keyserver that encourages people to circumvent security measures 
which are in the standard for their own protection. 

I've never found myself in the position of needing to search for a 
public subkey.  If you where to deploy PGP in a way in which you
needed to do that, you'd basically be subverting to some level
the value of digital signatures performed on the keyids in the
web of trust.

You're better of just querying for the public keyid and 
hoping to find the subkey attached.  If you do not, the 
best course of action would be to contact the public 
key holder and request an updated copy of his key.

	- VAB

> I'd like to add it to pks.
> [your .sig]
> > NOTICE: is known to carry a valid copy of my key
> Until then, giving the keyid of the pubkey will make it easier to find.

More information about the Gnupg-devel mailing list