limiting scope of signing subkeys

Guilhem Moulin guilhem at
Wed Jun 7 19:03:35 CEST 2017

On Wed, 07 Jun 2017 at 10:13:51 -0400, Daniel Kahn Gillmor wrote:
> then you'd add a new parameter to GnuPG's --verify-options
> "signing-scope=foo", and it would accept signatures only from:
> * signing-capable (sub)keys without the signing-scope notation
> * signing-capable (sub)keys with the signing-scope notation with "foo"
>  in the list.
> and signatures from any other key would be rejected.
> Then people who want to constrain their keys can just issue new
> subkey-binding signatures as needed.
> wdyt?

I like this! :-)  Compared to the previous proposal this verification
logic sounds a lot less error-prone for verifiers, while keeping an easy
“upgrade path” for users willing to limit the scope of their signing
(sub)keys.  (I would for instance add another — annotated — subkey
binding signature to the subkey used to sign this email, in order to
limit its scope to the “email” domain.  And generate another signing
subkey to use e.g., for code signing.)  Thanks for the idea!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170607/fee33354/attachment.sig>

More information about the Gnupg-devel mailing list