Questions about subkeys acrobatics (from Adrian von Bidder
Adrian von Bidder
avbidder at fortytwo.ch
Thu Nov 13 15:01:03 CET 2003
On Thursday 13 November 2003 14:08, Boix Ricart Marc wrote:
> Hi all,
> If I've understood the manoeuvre, you encrypt and sign from an insecure
> machine (signing with a subkey available only in this machine) and the
> receptor can decrypt your signature (with the subkey pair available in your
> public key file).
Right. I don't trust my work computer to carry the primary secret key - so I
can contain potential damage by revoking the compromised subkey.
> So, why not encrypt with all encryption subkeys (signed with the primary
> key) available in the public key?? (like encrypt a message addressed to
> several GPG users, each with a personal public key)
> Is GPG not implemented to encrypt a message with all the subkeys for
> encryption available in an imported public key??
> Is not interesting to have this feature?? why??
I'm not a cryptographics expert, but IIRC in some cases it is not good to
encrypt the same content to many different keys (This obviously happens
already if you send a message to several users - I don't know if this is a
real problem or if it isn't, or if gnupg works around this being a problem).
Also, there would be quite a long transition period until everybody would send
me messages encrypted to all applicable (not expired/revoked) subkeys. In
this period, I'd often receive messages with not-updated gpg/pgp versions,
encrypted with the wrong subkey.
While this problem is true for subkey signatures, too, I feel that in most
cases it is worse not to be able to decrypt a message than just not to be
able to verify a signature.
(Hey, cool! There are people who actually have their minds switched to 'on'
while their eyes glide over the text - thanks for your comments!)
Nothing is so frustrating as a bad situation that is beginning to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 331 bytes
Url : /pipermail/attachments/20031113/895f2973/attachment.bin
More information about the Gnupg-users