Migrating keys

Adrian von Bidder avbidder at fortytwo.ch
Fri Nov 28 11:42:25 CET 2003

On Thursday 27 November 2003 21:29, Atom 'Smasher' wrote:

> in one case (based on a signed email) one might (or might not) explicitly
> sign a new key... in the other case (a new sub-key is generated) one has
> implicitly (and unknowingly) signed the new sub-key.

You never sign the subkey - I do usually not look at subkeys when I sign a 
key, since it's entirely in the keyholder's interest to properly manage the 
subkeys. If you're paranoid about a subkey, then only trust signatures from 
the primary. You could also add a notation subpacket when signing a key and 
list the available subkeys at the time of your signature.

The question here is: against what type of attack are you trying to defend?

-- vbi
featured link: http://fortytwo.ch/smtp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 335 bytes
Desc: signature
Url : /pipermail/attachments/20031128/df972844/attachment.bin

More information about the Gnupg-users mailing list