Expiry bug (can convert v3 key to current?)

Werner Koch wk@gnupg.org
Thu Jun 28 08:50:01 2001


 || On Wed, 27 Jun 2001 14:25:55 -0700 (PDT)
 || Len Sassaman <rabbi@quickie.net> wrote: 

 ls> You can't make DSA signing subkeys with GnuPG.

You can. And it makes sense:  GnuPG has that feature to replace the
secret primary key with a stub so that if your box gets compromised,
you can just revoke the subkeys and create new subkeys using your
offline stored secret primary key.  Since 1.0.5 GnuPG favors a subkey
over the primary key unless you force using a specific key by appendig
a '!' to the keyID:

 gpg -sbu 0x12345678 foo.txt

selects a suitable subkey/primary key from a keyblock
containing this keyID, whereas

 gpg -sbu 0x12345678! foo.txt

will use the subkey/primary key with the ID 0x1234567 or complain.
(Using --debug 64 shows the process of selecting the key).

  
-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus