implications of subkeys?

David Shaw dshaw@jabberwocky.com
Wed Feb 27 17:45:01 2002 

On Wed, Feb 27, 2002 at 07:53:57AM -0800, Steve Butler wrote:
> Has anybody written a tutorial on this?  
> 
> I think I finally figured out the Public/Private key <<grin>> but when
> Master and Subkeys are added, then I'm lost.
> 
> Frank put up this nice starting point:
> Primary Key
>   ->uid1
>     -> you sign
>     -> bob signs
>     -> alice signs
>   -> uid2
>     -> you sign
>     -> charlie signs
>   -> subkey1
>     -> you sign
>   -> subkey2
>     -> you sign
> 
> But I still have a lot of questions.  May I presume that the signing key is
> the Master Private Key?  Are the private subkeys signed or is it just the
> public subkeys?  Did that question make any sense?
> 
> How then do signing subkeys enter the picture?

The minimal OpenPGP "key" is made up of one key, called the "master"
or "primary", plus a user ID.  You can add more user IDs, if you like,
and many people do.  The user IDs "belong" to your key, and are bound
there by a self-signature from the primary key.

Now, just take that same idea and replace "user IDs" with "keys" and
you've got subkeys.  You can add any number of keys to the pile, and
to prove that they belong there, they are bound in place by a
self-signature from the primary key.

The only difference between the two concepts is that other people can
add their signatures to your user IDs if they want to, but they cannot
add their signatures to your subkeys.

Details:

* To make all these signatures work, there is a rule that a primary
  key must be able to sign.  If it can encrypt as well, that's fine
  too, but it must at least be able to make a signature.

* When you "sign someone's key", you are actually signing their
  primary key, plus the specific user ID you chose to sign.

* Even though a signing subkey CAN sign another person's key, by
  convention, when you sign another person's user ID, you do it with
  your primary key.

So, to answer your questions:

> May I presume that the signing key is the Master Private Key?

The master private key is *a* signing key.  If you have a subkey that
can sign, then you have more than one signing key.

> Are the private subkeys signed or is it just the public subkeys?
> Did that question make any sense?

Yes.  Private subkeys are signed with the master private key.

> How then do signing subkeys enter the picture?

They're just like the master key, except that you usually don't sign
other people's keys with them.  They're used for signing data.

PGP does not currently support signing subkeys.  Current versions will
give weird error messages if you feed them a message signed with a
signing subkey.  I mailed a nice guy at NAI who hangs out on the
pgp-users list and he added support for verifying such messages for
the next version of PGP.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson