Expiry bug (can convert v3 key to current?)

Werner Koch wk@gnupg.org
Thu Jun 28 08:50:01 2001

 || On Wed, 27 Jun 2001 14:25:55 -0700 (PDT)
 || Len Sassaman <rabbi@quickie.net> wrote: 

 ls> You can't make DSA signing subkeys with GnuPG.

You can. And it makes sense:  GnuPG has that feature to replace the
secret primary key with a stub so that if your box gets compromised,
you can just revoke the subkeys and create new subkeys using your
offline stored secret primary key.  Since 1.0.5 GnuPG favors a subkey
over the primary key unless you force using a specific key by appendig
a '!' to the keyID:

 gpg -sbu 0x12345678 foo.txt

selects a suitable subkey/primary key from a keyblock
containing this keyID, whereas

 gpg -sbu 0x12345678! foo.txt

will use the subkey/primary key with the ID 0x1234567 or complain.
(Using --debug 64 shows the process of selecting the key).

Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus