Questions about subkeys acrobatics (from Adrian von Bidder article)

Adrian von Bidder avbidder at
Thu Nov 13 15:01:03 CET 2003

On Thursday 13 November 2003 14:08, Boix Ricart Marc wrote:
> Hi all,


> If I've understood the manoeuvre, you encrypt and sign from an insecure
> machine (signing with a subkey available only in this machine)  and the
> receptor can decrypt your signature (with the subkey pair available in your
> public key file).

Right. I don't trust my work computer to carry the primary secret key - so I 
can contain potential damage by revoking the compromised subkey.

> So, why not encrypt with all encryption subkeys (signed with the primary
> key) available in the public key?? (like encrypt a message addressed to
> several GPG users, each with a personal public key)
> Is GPG not implemented to encrypt a message with all the subkeys for
> encryption available in an imported public key??
> Is not interesting to have this feature?? why??

I'm not a cryptographics expert, but IIRC in some cases it is not good to 
encrypt the same content to many different keys (This obviously happens 
already if you send a message to several users - I don't know if this is a 
real problem or if it isn't, or if gnupg works around this being a problem).

Also, there would be quite a long transition period until everybody would send 
me messages encrypted to all applicable (not expired/revoked) subkeys. In 
this period, I'd often receive messages with not-updated gpg/pgp versions, 
encrypted with the wrong subkey.

While this problem is true for subkey signatures, too, I feel that in most 
cases it is worse not to be able to decrypt a message than just not to be 
able to verify a signature.

-- vbi

(Hey, cool! There are people who actually have their minds switched to 'on' 
while their eyes glide over the text - thanks for your comments!)

Shannon's Observation:
	Nothing is so frustrating as a bad situation that is beginning to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031113/895f2973/attachment.bin

More information about the Gnupg-users mailing list