using subkey signatures

David Shaw dshaw at jabberwocky.com
Tue Sep 3 01:07:02 CEST 2002 

On Mon, Sep 02, 2002 at 04:54:43PM -0400, V. Alex Brennen wrote:
> On Mon, 2 Sep 2002, Jason Harris wrote:
> 
> > On Mon, Sep 02, 2002 at 03:49:33PM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> > > On Mon, 2002-09-02 at 15:18, David Shaw wrote:
> > 
> > > > This is a (HKP) keyserver limitation more than a GnuPG limitation.
> > > > The LDAP keyservers do allow fetching by subkey ID.
> > > 
> > > Ok good to know. Is anything planned on the pks side? Or on the cks side
> > > (it doesn't index subkey ids atm, it seems)? Or on the keyserver.net
> > > side (doesn't neither, just now)? Just curious.
> 
> Yes, CKS does not provide for searching by subkey ids.  I don't understand
> why you would want to search by subkey.
> 
> 2440 identifies the primary public key as the signature key and subkeys 
> as keys for encryption. The RFC goes so far as to tell people the whole 
> reasoning behind the structure of the v4 key format is to get people to 
> use different keys for signatures and encryptions. 
> 
> If you use a subkey for signatures in the way that I think you're 
> describing, you're basically violating this best practice to no
> benefit of your own.  I hate to provide functionality in the
> keyserver that encourages people to circumvent security measures 
> which are in the standard for their own protection. 
> 
> I've never found myself in the position of needing to search for a 
> public subkey.  If you where to deploy PGP in a way in which you
> needed to do that, you'd basically be subverting to some level
> the value of digital signatures performed on the keyids in the
> web of trust.

I think I see the confusion here.  Adrian is not talking about using a
"raw" subkey to sign with (effectively making that subkey into a
primary for no particularly good reason).  Rather, it is a genuine
subkey of some other primary key.

Used this way, there is no security reason not to use signing subkeys.
Signing subkeys are bound to the primary signing key with a
self-signature just like encryption subkeys are.  The only difference
is that they are keys with an algorithm that can sign (say, RSA or
DSA).  This is legal by the spec (specifically mentioned as allowed in
section 10.1 and again in 11.1 of 2440).  GnuPG supports it, and PGP 8
should support it as well (as I understand, it was actually fixed in
7.x, but then it was not released of course).

Having keyservers that can return a primary key plus subkeys when
given only one of the subkey ids is useful when validating a signature
made by a subkey.  Since the keyid embedded in the signature is then a
subkey id, the keyserver needs to accept the subkey id, but return the
whole thing - the primary, plus subkeys.  This is what the LDAP
keyserver does.

David

-- 
   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list