Can signing subkeys certify keys?
David Shaw
dshaw@jabberwocky.com
Mon Nov 18 22:22:02 2002
On Mon, Nov 18, 2002 at 09:18:01PM +0100, Konrad Podloucky wrote:
> On Mon, 2002-11-18 at 20:39, David Shaw wrote:
> > [...]
> > The OpenPGP standard does not specify a trust model, so you can
> > theoretically use a signing subkey for anything you like. However, as
> > a practical matter it is not a good idea. The web of trust is built
> > by signatures from primaries on primaries, so a subkey signature would
> > not be usable as part of the web of trust. Because of this, signing
> > subkeys are only permitted to sign data and not other keys.
> >
> > The --with-colons listing is incorrect here, and has been fixed for
> > the next release of GnuPG.
> >
> Thanks for clearing things up, David. I can understand why primary keys
> should be used to issue exportable signatures. However I had hoped that
> I at least could use my secondary key for locally certifying keys for
> convenience' sake (as I keep my primary on another non-networked
> machine). Nevermind, one gets used to swapping floppies I guess :)
Since you are only concerned about local signatures, one thing you
could do is just make yourself a key that you don't use except to sign
keys locally. Just don't send this local-only key to a keyserver ;)
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson