using subkey signatures

David Shaw dshaw at
Tue Sep 3 15:01:01 CEST 2002

On Tue, Sep 03, 2002 at 09:10:51AM +0200, Werner Koch wrote:
> On Mon, 2 Sep 2002 16:54:43 -0400 (EDT), V Alex Brennen said:
> > I've never found myself in the position of needing to search for a 
> > public subkey.  If you where to deploy PGP in a way in which you
> You need to search for it if the signature was made by a subkey. 
> This is actually a very good security measure because you would be
> able to take the primary secret key offline and only keep a signing
> and an encryption subkey online (cf. gpg --export-secret-subkeys).
> The advantage of this scheme is that only the subkeys can be remotely
> compromised and you can very easy revoke them and create new subkeys
> because you still own an uncompromised primary key on some box not
> connected to the net.
> I'd really like to use this but as long as PGP can't verify something
> signed by a subkey it is not very practicable.

I have (unofficial, of course, but still interesting) mail indicating
that PGP 8 will properly verify signatures made by a subkey when it
comes out later this year.


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list