most convenient key type?

David Shaw
Sat Aug 17 16:33:02 2002

On Sat, Aug 17, 2002 at 05:01:03AM +0000, Brian M. Carlson wrote:
> On Fri, Aug 16, 2002 at 03:47:15PM -0400, David Shaw wrote:
> > On Fri, Aug 16, 2002 at 07:07:33PM +0000, Brian M. Carlson wrote:

> > > I liked what you did, so I created something similar for my laptop key. I
> > > have a primary key, which signs subkeys, a data signing subkey, a key
> > > signing subkey, and an encryption subkey. However, the key signing subkey
> > > doesn't sign keys, making it very useless. If this is unavailable,
> > > consider this a wishlist bug. If this is available, please tell me how I
> > > can get it to work, as I've tried everything, including -u DEADBEEF! .
> > 
> > It actually used to be available, but was removed.  The main reason is
> > that the web of trust is currently built via signatures from and on
> > primary keys only.  Subkeys making key signatures would split the web
> > of trust into the PGP half (primary keys only) and the GnuPG half
> > (primary + subkeys).
> If you don't mind, I'd very much like it back. It doesn't violate the RFC
> (or its successors) so it's really PGP's problem that it doesn't comply
> with the RFC in accepting such signatures. My rationale is that because
> this key is for a laptop, and laptops are more likely to get stolen than
> desktops, thus compromising the key, I can simply revoke the subkeys, and
> keep the primary key, which would be on my desktop. Of course, since I
> don't do that much key signing, I *could* use the primary key on my
> desktop, but then I'd use my regular key, right?

Right.  This is what I do.  It's true that this does not violate the
RFC (intentionally, the RFC says almost exactly nothing about trust
models), but I'm not too sure of the benefit here since you can use
the primary key on your desktop to sign other people's keys, just like
you (must) use it to sign subkeys.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson