[Q] Multiple signing keys (was: DSA 1024-bit limit)

Dennis Lambe Jr. malsyned@cif.rochester.edu
Wed May 14 04:41:02 2003

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> 1) When I sign, how do I specify a non-default signing key?

If you have signing subkeys, the one with the most recent self-signature
will be used to sign documents and emails.

As far as I can tell, your primary key is the only one which can be used
to sign other keys, but I'd like to hear from some more knowledgable
people on that point.

> 2) I don't fully understand the role of the primary key.

Signatures, as you probably know, are made on hashes of data, not the
data itself.  When a key is signed, what the signature is certifying is
that a particular person owns a particular key.  In order to do that,
the signature must bind a public key to an ID.  To accomplish this,
OpenPGP specifies that a key signature should be made by combining the
public key and the ID (with concatination, I think), hashing that, and
signing the hash.

When a person "signs your key", they're actually signing all (or some)
of the identities attached to it.  they're certifying that your
/primary/ signing key belongs to the identity it claims to.  Remembering
that PGP data of all sorts is made up of packets, here's what that part
of the key looks like:

:primary public key packet (P1):
:and identity(I1):
:a self-signature(S1):
	signed hash of the primary public key(P1) and the identity(I1)
	made by the secret part of the primary key
:another identity(I2):
:a self-signature(S2):
	signed hash of P1 and the other identity(I2)
:someone else's signature(S3):
	signed hash of P1 and I2 made by someone who verified that
	I2, but not necessarily I1, is the owner of P1.

Subkeys are attached to a primary keypair by being signed by the secret
part of that keypair.  They are known to belong to the owner of the
primary keypair so long as the assumption that he's the only one who
with access to the secret key holds.

So the primary key is more important than any of the subkeys.  The
reasons are that it collects signatures, that it signs the subkeys
(subkeys aren't trusted to sign eachother), and that it signs other keys
(right?  somebody back me up on this last point?).  Yes, it should be at
least as secure as any signing subkeys, and there is a case to be made
both for and against making it as secure as encryption subkeys.  The for
argument is the same, and I think you've already got the RSA vs. DSA
OpenPGP FAQ that makes the argument against.  The summary is:

>> A 1024-bit signature is unlikely to be forged because that forgery
would serve as proof that 1024-bit PK encryption has been broken, and
whoever broke it wouldn't want to tip their hand and lose the ability to
decrypt with impunity just to forge signatures, so they won't forge your
signature even if they could. <<

It was based on this information that I made the decision to create my
key as follows:

pub  4096R/F53BA904 2003-04-21 Dennis Patrick Lambe Jr.
[...snipped other IDs...]
sub  1024D/16DE8D28 2003-04-21
sub  4096g/BCE387ED 2003-04-21

I believe David Shaw has a similar rationale for his key, which has the
same structure.  Is that right, David?

--Dennis Lambe

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html