existing keys as subkey

David Shaw dshaw@jabberwocky.com
Thu Oct 3 14:50:02 2002

On Thu, Oct 03, 2002 at 11:49:50AM +0200, Ingo Kl=F6cker wrote:

> On Thursday 03 October 2002 01:27, 1984 wrote:
> > Hello,
> > I want to install a pgp/gpg secured mailinglist. The best possibility
> > is to generate a new key, includes every key of the entered users.
> > Every mail to the list must be encrypted with this public key.
> > My question is: how can I build a key and implement other existing
> > keys as subkeys of this one? So that every mail encrypted by the key
> > is encrypted by the keys of all users.
> >
> > The only way, I think, is to use ADK of PGP, because in GnuPG you
> > cannot take existing keys as a subkey, you can only generate a new
> > one.
> All you have to do is generate a new key which is used to encrypt=20
> messages which are sent by the subscribers to the mailinglist and which=
> is used to sign the subscribers' keys.
> This is how the encrypted mailinglist works:
> When someone what's to sent a message to the mailinglist he encrypts th=
> message with the mailinglist key.
> The mailinglist manager receives the message, decrypts it, re-encrypts=20
> it for all subscribers and then sends it to the subscribers. In order=20
> to protect the privacy of the subscribers the message should be=20
> encrypted for each subscriber separately.

That would be a lot of messages, and you lose the nice mailing list
ability to send in bulk (i.e. you have more than one subscriber at a
given domain, so you send one copy to that domain and let their mail
system deliver it multiple times).

You can use --throw-keyid to remove the key IDs of the subscribers, so
the only thing that an attacker would know about the subscribers is
how many of them there are.  You can throw some extra fake
"subscribers" into the mix as well to throw off the count as well ;)

The only catch is that PGP does not implement speculative keyids, so
all of the subscribers must be using GnuPG.  Or you could only use
--throw-keyid on the GnuPG users.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.co=
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson