Can signing subkeys certify keys?
Mon Nov 18 21:16:01 2002
On Mon, 2002-11-18 at 20:39, David Shaw wrote:
> The OpenPGP standard does not specify a trust model, so you can
> theoretically use a signing subkey for anything you like. However, as
> a practical matter it is not a good idea. The web of trust is built
> by signatures from primaries on primaries, so a subkey signature would
> not be usable as part of the web of trust. Because of this, signing
> subkeys are only permitted to sign data and not other keys.
> The --with-colons listing is incorrect here, and has been fixed for
> the next release of GnuPG.
Thanks for clearing things up, David. I can understand why primary keys
should be used to issue exportable signatures. However I had hoped that
I at least could use my secondary key for locally certifying keys for
convenience' sake (as I keep my primary on another non-networked
machine). Nevermind, one gets used to swapping floppies I guess :)
"All this marching up and down and cheering and waving flags is=20
simply sex gone sour."
--George Orwell, "Nineteen Eighty-Four"
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Comment: For key usage policy see http://www.crunchy-frog.org/pgp/policy.html
-----END PGP SIGNATURE-----