Migrating keys
Adrian von Bidder
avbidder at fortytwo.ch
Fri Nov 28 11:42:25 CET 2003
On Thursday 27 November 2003 21:29, Atom 'Smasher' wrote:
> in one case (based on a signed email) one might (or might not) explicitly
> sign a new key... in the other case (a new sub-key is generated) one has
> implicitly (and unknowingly) signed the new sub-key.
You never sign the subkey - I do usually not look at subkeys when I sign a
key, since it's entirely in the keyholder's interest to properly manage the
subkeys. If you're paranoid about a subkey, then only trust signatures from
the primary. You could also add a notation subpacket when signing a key and
list the available subkeys at the time of your signature.
The question here is: against what type of attack are you trying to defend?
cheers
-- vbi
--
featured link: http://fortytwo.ch/smtp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 335 bytes
Desc: signature
Url : /pipermail/attachments/20031128/df972844/attachment.bin
More information about the Gnupg-users
mailing list