GPGME and multiple subkeys

Werner Koch wk at gnupg.org
Thu Oct 30 15:51:45 CET 2003


On Wed, 29 Oct 2003 16:59:18 +0100, David Anderson said:

> In our project, we had envisionned using OpenPGP keys for signing and
> encrypting data, using subkeys created especially for Gobelins:
> someone using his everyday GPG key to play would have a Gobelins
> signature subkey and a Gobelins encryption subkey added to his key.

The question is on how to detect what the Gobelins key is.  The simple
method would be to have the user enter the keyID are more advanced one
to use notation data to detected the desired subkey.

> Is this something which is part of OpenPGP (not being able to sign
> using a specific signature subkey), or is it just that GPGME cannot do
> this yet? If this is the case, when would it be implemented, and what

OpenPGP does not specify such things.  GnuPG allows to request the use
of a specific subkey by appednign a '!' to the keyID, like:

  gpg -u 0x12345678! -sb ...

Without the exclamation mark, GnuPG autoselects the best usable
subkey.

You are right, GPGME does not yet support enforcing the use of a
specific subkey.  Thanks for noting this.  We should definitely do
something about it.  When doing that we should also allow for more
flexibility, so that for example a subkey may be selected using
notation data or other attributes.  We need to think about the API.

BTW, GnuPG 1.3.4 will support a keyflag named 'authentication' which
should be used if you use the subkey that purpose.

> other library could I use instead of GPGME to be able to sign using a
> specific subkey?

pipe and fork/exec is obviously a choice, however a way to sel;ect a
specific subkey is something we require in GPGME anyway.

  Werner

-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe	                 http://fsfeurope.org





More information about the Gnupg-devel mailing list