disabled keys: bug or misunderstanding (GPG 1.2.1)

KES Norbert Luckhardt <editor@kes.info>
Tue Dec 17 11:20:02 2002


Hello gnupg-users,

when having multiple keys for the same e-mail GPG seems to take the
one which is "oldest" in the key ring, which is not always the one
you'd like it to use (example below)... in PGP I just disabled such
keys which should only be kept for signature verification (or whatever
purpose), so the program had just the one key enabled which should be
used for encryption

while trying this in GPG, the following happens: when you disable the
key which is found first from GPG, it stops on error and does NOT look
further if there is another feasible key for encryption for the given
e-mail address - I consider this a bug

(of course on a command line one could give the key ID instead of the
e-mail address - but frontends and mailer plug-ins usually only hand
over the mail address to GPG to select the enryption target)

any enlightnig comments are welcome!

kind regards, Shalom dann,
NOrbert


REAL-WORLD EXAMPLE:

the German magazine c't acts as a CA for PGP/GPG keys - and uses a
yearly changing communication key - the CERTIFICATE keys MUST NOT be
used for encrypting messages (by policy decision)

> gpg -k pgpca@ct.heise.de
pub  1024D/B3B2A12C 1999-05-11 ct magazine CERTIFICATE <pgpCA@ct.heise.de=
>
pub  1024R/BB1D9F6D 1997-03-04 ct magazine CERTIFICATE <pgpCA@ct.heise.de=
>
pub  1024D/125FDE3D 2001-12-28
     ct magazine pgpCA CommunicationKey 2002 <pgpCA@ct.heise.de>

< now disable the key it finds first for pgpca@ct.heise.de >
    =20
>gpg -r pgpca@ct.heise.de -e test.txt
gpg: pgpca@ct.heise.de: =FCbersprungen: =F6ffentlicher Schl=FCssel ist ab=
geschaltet
gpg: start.bat: encryption failed: unbrauchbarer =F6ffentlicher Sch=FCsse=
l

(the text says that the corresponding key is disabled and thus
encryption fails - note: this example works only in GPG installations
where the old RSA key is a feasible encryption target - however the
general problem occurs whenever there are more than one valid keys for
a given mail address and GPG chooses the "wrong" one)


--=20
Norbert Luckhardt, Editor in Chief           http://www.kes.info/

KES - IT-Security Journal (AT/CH/DE)
      SecuMedia Verlags-GmbH    Gaulsheimer Stra=DFe 17
      55218 Ingelheim           GERMANY

fon  +49-511/5 63 62 93    *    +49-67 25/93 04-11 (ed. assist.)
fax  +49-511/5 63 62 99    *    +49-67 25/59 94

--