key capabilities

David Shaw dshaw at
Thu Dec 30 16:44:32 CET 2004

On Thu, Dec 30, 2004 at 02:55:43PM +0000, Nicholas Cole wrote:
> My old key (created originally with PGP) is marked as
> being capable of signing, certifying and
> authenticating (with the subkey for Encrypting).  GPG
> only marks the keys it creates as suitable for signing
> and certifying.  
> Is there a rationale for this minor incompatibility? I
> know that there are some authentication systems (a
> modified sshd, for example) that do use openpgp keys -
> presumably they should only use keys flagged as
> suitable for this use.

The difference is that PGP doesn't mark keys with capabilities at all.
When reading these unmarked keys, GnuPG must resort to giving the key
all capabilities for that key type since it cannot know what the
intended use was for that key.

If you want to make a key where you pick what flags are set, generate
the key with --expert set.  This enables an option where you can set
any flags you like.


More information about the Gnupg-devel mailing list