subkeys and key flags

David Shaw dshaw at jabberwocky.com
Sun Nov 30 23:58:04 CET 2003


On Mon, Dec 01, 2003 at 04:34:51AM +0100, Peter Palfrader wrote:
> On Sun, 30 Nov 2003, David Shaw wrote:
> 
> > > If yes, how do I create a signing subkey that only may be used to sign
> > > data/communications?
> > 
> > A signing subkey has the appropriate key flags set for signing data
> > and communications at generation time.  The certification flag is not
> > set.
> 
> This was only recently added to GnuPG?  I added subkeys to 94C09C7F in
> July (1.2.2 was in unstable at the time I think) but pgpdump does not
> show key flags.

It depends on the subkey type.  For types that depend on flags
(i.e. RSA), the flags were put in for a long time (1.0.6?).  For
Elgamal encrypt-only and DSA there was no point in flags, but for
neatness, flags were added anyway starting in 1.2.3.

> > > Is it possible to ammend the keyflags by adding a new self signature
> > > to a subkey?  (I suppose so, if yes, how do I do it?)
> > 
> > In theory it's doable, but GnuPG does not provide a means to do it.
> > You'd have to hack the source.
> 
> Will GnuPG recoginze and handle the second signature correctly?  Do you
> know whether PGP, Hushmail, etc will do so?

GnuPG will.  I'm honestly not sure about the others.  It's also worth
verifying that all keyservers will store the second signature.  I'm
pretty sure that most won't.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
Url : /pipermail/attachments/20031130/ef9afc49/attachment-0001.bin


More information about the Gnupg-users mailing list