limiting scope of signing subkeys

Daniel Kahn Gillmor dkg at
Wed Jun 7 16:13:51 CEST 2017

On Tue 2017-06-06 21:23:04 +0200, Guilhem Moulin wrote:
> I recall you and I discussed that on #debian-keyring a while ago
> (probably around the time I sent that mail to gnupg-devel) :-P  Adding
> another capability sounds neat, but IMHO that won't scale if other folks
> want to limit the scope of their signing subkeys to other domains /
> types of data.

How about a non-critical notation "signing-scope" to the subkey binding
signature (or to the self-sig, if the primary key is marked as
signing-capable) which is a comma-separated list of domains?  we could
enumerate a few different domains and people could add them as they

 * email
 * software

then you'd add a new parameter to GnuPG's --verify-options
"signing-scope=foo", and it would accept signatures only from:

 * signing-capable (sub)keys without the signing-scope notation
 * signing-capable (sub)keys with the signing-scope notation with "foo"
   in the list.

and signatures from any other key would be rejected.

Then people who want to constrain their keys can just issue new
subkey-binding signatures as needed.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170607/67cd5152/attachment.sig>

More information about the Gnupg-devel mailing list