Migrating keys (fwd)
dshaw at jabberwocky.com
Thu Nov 27 19:13:50 CET 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Nov 27, 2003 at 03:49:03PM -0800, Atom 'Smasher' wrote:
> > > but, if i sign your key, and you add a sub-key, that carries my
> > > signature, just the same as your original key that i signed... my
> > > understanding of PGP/GPG is that it's easy to "go back in time" and
> > > add a sub-key, so it would appear that the sub-key was also signed.
> > No. If you sign my key, you sign my primary key plus a user ID.
> > **I** sign my subkeys. You do not sign them.
> yes. the encryption key isn't signed by other people, just the signing
> i knew this would get confusing....
> let's see... bob has his key signed by alice. i know alice, and i trust
> her signature on bob's key. then bob goes and get's abducted by aliens (or
> the mob, MIB, etc) and they have enough computing power to recover his
> 1024 signing key, but not his 2048 encryption key. (or, maybe bob was just
> using one of the faulty ElGamal keys as a primary key?)
> now, the aliens (or the mob, MIB, etc) set their computer's clock to some
> time *before* alice's signature (setting the time to the past is optional,
> but may be useful in some circumstances). then they generate a new
> encryption sub-key and (self) sign it with bob's signing key, pretending
> to be bob. if they set their clock back, it would appear that the new
> sub-key was known to alice (who i trust).
No. When you sign a key, you sign the primary, and you sign a user
ID. You do not sign a subkey, and thus you are not making a statement
in any way, shape, or form about the number, quality, or otherwise of
the subkeys. Don't read too much into what a key signature means.
Key signatures have exactly nothing to do with subkeys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.5-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----
More information about the Gnupg-users