Can signing subkeys certify keys?

David Shaw
Mon Nov 18 22:22:02 2002

On Mon, Nov 18, 2002 at 09:18:01PM +0100, Konrad Podloucky wrote:
> On Mon, 2002-11-18 at 20:39, David Shaw wrote:
> > [...]
> > The OpenPGP standard does not specify a trust model, so you can
> > theoretically use a signing subkey for anything you like.  However, as
> > a practical matter it is not a good idea.  The web of trust is built
> > by signatures from primaries on primaries, so a subkey signature would
> > not be usable as part of the web of trust.  Because of this, signing
> > subkeys are only permitted to sign data and not other keys.
> > 
> > The --with-colons listing is incorrect here, and has been fixed for
> > the next release of GnuPG.
> >
> Thanks for clearing things up, David. I can understand why primary keys
> should be used to issue exportable signatures. However I had hoped that
> I at least could use my secondary key for locally certifying keys for
> convenience' sake (as I keep my primary on another non-networked
> machine). Nevermind, one gets used to swapping floppies I guess :)

Since you are only concerned about local signatures, one thing you
could do is just make yourself a key that you don't use except to sign
keys locally.  Just don't send this local-only key to a keyserver ;)


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson