Migrating keys (fwd)

Neil Williams linux at codehelp.co.uk
Sun Nov 30 09:06:21 CET 2003

On Sunday 30 Nov 2003 2:44 am, Atom 'Smasher' wrote:
> the two questions that remain are:
>  1) is there a way to not only trust, but verify someone's sub-key?
> is there an easy and/or standardized way for bob to meet with alice and
> allow them both to verify each other's sub-keys? they can do this for
> their signing keys by exchanging and confirming their key types, sizes and
> fingerprints, but i don't know of any application that generates
> fingerprints of sub-keys.

From man gpg:
      --fingerprint [names]
                 List  all keys with their fingerprints. This is the same out-
                 put as --list-keys but with the additional output of  a  line
                 with  the  fingerprint. May also be combined with --list-sigs
                 or --check-sigs. 
		 If this command is given twice, the finger-
                 prints of all secondary keys are listed too.

$ gpg --fingerprint --fingerprint 28bcb3e3
pub  1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp)
     Key fingerprint = 4CD4 6644 C105 48ED CA28  EC36 8801 094A 28BC B3E3
sub  1024g/AD3CB326 2002-01-27
     Key fingerprint = 911E 399A 4033 0310 6152  582F A006 27FC AD3C B326

>  2) if we trust that bob's signing key has not been compromised, is there
> a difference between accepting a new key because bob adds a new sub-key to
> his public-key; and accepting a new key because bob sent a signed email
> that instructs us to do so. in both cases, bob's old key (that we trust)

If Bob adds a UID, there's nothing to say you should sign it, just because 
you've signed another UID on the same key. It needs separate verification - 
usually using an encrypted email sent to the email address in the UID asking 
for some random text to be quoted back in a signed reply. Same with a new 
subkey - you'd need to repeat verification if you want to be sure about it. 
If the old encryption subkey is still usable, encrypt to that, asking for the 
fingerprint of the new subkey, as above. If not, keysigning procedures start 
all over again.

> has signed his new key (which we might not trust, yet). how do i know that
> the new key bob generated is the same new key that i think is his new key?

You don't - necessarily. If you are concerned, try to contact him by either 
the previous subkey or by secondary means.

> looking at rfc 2440 (11.2) it looks like an application should be able to
> generate fingerprints for sub-keys. for some applications, it's good
> enough enough to trust... other times things should be verified.

GnuPG can - it's all in the man page.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20031130/89dd33bc/attachment.bin

More information about the Gnupg-users mailing list