Two Signing keys in one key

David Shaw
Fri Jun 7 17:35:01 2002

On Fri, Jun 07, 2002 at 05:01:12PM +0200, Mail2News Gateway wrote:
> I wonder if this is a legal key:
> pub  1024D/AF6650BF 2002-06-03 Mark Doll <>
> uid                            Mark Doll <>
> uid                            Mark Doll <>
> sub  2048g/43E38F97 2002-06-03 [expires: 2003-06-03]
> sub  1024D/F115985C 2002-06-03 [expires: 2003-06-03]
> I would like to use key AF6650BF for signing other keys only (without an
> expiring date) and key F115985C for signing mails and 43E38F97 for
> encrypting mails (the last two keys exipiring after one year).

Yes, completely legal.  Many people use the same sort of key.

> Export/Import via files works:


> but does not work via a keyserver:

Alas, no.  Most keyservers have a bug that will corrupt a key with
more than one subkey.

> Will this ever work via keyservers? Or is should I use another method to
> get seperate keys for signing keys and signing mails?

This will eventually work via the keyservers, once the new generation
of keyservers are up and running.  In the meantime, certain keyservers
do work with this sort of key - try ldap://

There is one catch to this sort of key that you didn't mention - no
version of PGP understands signatures made from a signing subkey.  It
was supposed to be added, but unfortunately NAI cancelled PGP before
that version was released.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson