Migrating keys (fwd)
linux at codehelp.co.uk
Sun Nov 30 09:06:21 CET 2003
On Sunday 30 Nov 2003 2:44 am, Atom 'Smasher' wrote:
> the two questions that remain are:
> 1) is there a way to not only trust, but verify someone's sub-key?
> is there an easy and/or standardized way for bob to meet with alice and
> allow them both to verify each other's sub-keys? they can do this for
> their signing keys by exchanging and confirming their key types, sizes and
> fingerprints, but i don't know of any application that generates
> fingerprints of sub-keys.
From man gpg:
List all keys with their fingerprints. This is the same out-
put as --list-keys but with the additional output of a line
with the fingerprint. May also be combined with --list-sigs
If this command is given twice, the finger-
prints of all secondary keys are listed too.
$ gpg --fingerprint --fingerprint 28bcb3e3
pub 1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp)
Key fingerprint = 4CD4 6644 C105 48ED CA28 EC36 8801 094A 28BC B3E3
sub 1024g/AD3CB326 2002-01-27
Key fingerprint = 911E 399A 4033 0310 6152 582F A006 27FC AD3C B326
> 2) if we trust that bob's signing key has not been compromised, is there
> a difference between accepting a new key because bob adds a new sub-key to
> his public-key; and accepting a new key because bob sent a signed email
> that instructs us to do so. in both cases, bob's old key (that we trust)
If Bob adds a UID, there's nothing to say you should sign it, just because
you've signed another UID on the same key. It needs separate verification -
usually using an encrypted email sent to the email address in the UID asking
for some random text to be quoted back in a signed reply. Same with a new
subkey - you'd need to repeat verification if you want to be sure about it.
If the old encryption subkey is still usable, encrypt to that, asking for the
fingerprint of the new subkey, as above. If not, keysigning procedures start
all over again.
> has signed his new key (which we might not trust, yet). how do i know that
> the new key bob generated is the same new key that i think is his new key?
You don't - necessarily. If you are concerned, try to contact him by either
the previous subkey or by secondary means.
> looking at rfc 2440 (11.2) it looks like an application should be able to
> generate fingerprints for sub-keys. for some applications, it's good
> enough enough to trust... other times things should be verified.
GnuPG can - it's all in the man page.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20031130/89dd33bc/attachment.bin
More information about the Gnupg-users