hierarchical keys? Encryption to two subkeys impossible

Andreas Bergen andreas.bergen at in-jesus.de
Thu Apr 1 22:55:31 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> This could possibly be accomplished by using subkeys.
> I do not think they are intended to be used that way but it might be
> possible.
>
> People have talked about having a master (key-)signing key on a secure
> machine and exporting subkeys from that key to use on less secure
> machines. That way the private key that collects signatures is safe and
> it is still possible to sign with a well known key on less secure or
> potentially uncontrolled machines (like at work) without risking the
> real key.
>
> By using the primary key of an OpenPGP key as master and generating
> subkeys for the delegated keys you should get the first level of
> delegation, i do not know how to get a second level of delegation this way.


I tried that and it worked. Thanks for the help. 

This raises another question, though. I tried encrypting with two 
encryption-keys (they're always subkeys, so there's no implicit 
master-slave-key-relation, but I think that's not necessary, as a user can't 
be forced to encrypt something so that someone else can decrypt it -- it's 
purely voluntary -- but I think it should be possible!). As of version 1.2.2  
gpg seems to always encrypt 
to the last available encryption-subkey. There seems to be no way to encrypt 
to both (valid) subkeys, even when using the respective key-id.

Here is an example:
bergen at paulus<441> gpg --list-keys testkey
pub  1024D/D2DFACE3 2004-04-01 testkey (Nur für Testzwecke) <bergen at localhost>
sub  1024g/5DB18EA4 2004-04-01
sub  1024g/EC2B2B4B 2004-04-01


cwd: /home/bergen/test/crypt/gpg
bergen at paulus<442> gpg -e passwd
Sie haben keine User-ID angegeben (Sie können die Option "-r" verwenden).

Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: 5DB18EA4
Added 1024g/EC2B2B4B 2004-04-01 "testkey (Nur für Testzwecke) 
<bergen at localhost>"

Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: EC2B2B4B
gpg: übersprungen: öffentlicher Schlüssel bereits gesetzt

Geben Sie die User-ID ein. Beenden mit einer leeren Zeile:



As you can see, I enter 5DB18EA4 as key-ID to encrypt to, but it gets 
encrypted to EC2B2B4B. I think there should be a way to decrypt to both 
encryption-keys.

Thanks for any help.

Yours
  Andreas Bergen

- -- 
Andreas Bergen
E-Mail: andreas dot bergen at in-jesus dot de
PGP/GnuPG-encrypted / -signed Email welcome. PGP-key-ID: 8CDEC18F
Gott ist Liebe, und wer in der Liebe bleibt, bleibt in Gott und Gott in ihm.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAbIHd/28tHYzewY8RAiXMAJ4w4XCIvj+WSx4qQL27waPnU9NBAQCePHt5
Vs6W37bLa5WkWHwm/EUP6hs=
=CUAM
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list