Curiosity with RSA sign/encrypt keys

[David Shaw]

On Mon, Jul 09, 2001 at 11:18:22AM -0500, Brian M. Carlson wrote:
> David Shaw wrote:
> > 
> > When looking at the actual packets in the key, the main public key is
> > algorithm 1 (i.e. "RSA Encrypt or Sign" as per RFC 2440).  The subkey
> > is also algorithm 1.  However, if I sign with this key, gnupg will
> > only use the main key, and if I encrypt with this key, gnupg will only
> > use the subkey.  The "!" syntax still does not allow me to encrypt to
> > the main key.  I tried removing the subkey altogether, leaving only
> > the main key and gnupg still would not allow it to be used for
> > encryption ("unusuable public key").
> 
> PGP will generate v4 keys with algo 1 and keyflags (subpacket 27?) that
> prohibit usage of each key or subkey for anything but signing or
> encrypting, respectively. This is why you are having this issue.

Aha, interesting.  Now it makes sense (I missed the keyflags packet).
Thanks!

I wonder why PGP generates v4 RSA keys this way.  I know there are
many procedural reasons why it is not a good idea to use a single key
for both signing and encryption, but is there a cryptographic reason
why using a single RSA key for both signing and encryption is a poor
idea, or was it just done to maintain the DSS/ELG key/subkey
sign/encrypt way of doing things that people were familiar with?

I'm looking forward to v4 RSA support in gnupg.  It neatly addresses a
common complaint about keeping a very large sign-only key that never
expires to collect signatures, and using the subkeys on that key for
actual work.  Gnupg's --export-secret-subkeys feature, plus v4 RSA
pretty much nails the problem for me.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson