hierarchical keys?

Andreas Bergen andreas.bergen at in-jesus.de
Tue Mar 30 19:11:58 CEST 2004


I've got a question regarding pgp / gnupg / gpgsm, etc. What I'd like to know 
is, if there's a way to use these (or other?) encryption systems to do the 

I'd like to have a master keypair (M).
Using this I can create one or more dependant keypairs (D1 through Dn) (which 
by themselves can, if M allows, to be masters for keys E1 through Em).
When I encrypt a file using the keys Di, the encrypted file can be decrypted 
using only Di (and not Dj with i != j) or M.

M can be configured to allow or disallow certain Di to sign in M's name 
without giving away the secret part of M. That is, if someone gets a message, 
signed by Di the signature can be verified using the public part of M (or 

Using M I can create revocation certificates for all Di.

This can be used for example for signing publicly available software, where 
the signing-process can be delegated without giving away the master signing 
key. Or it can be used for people / organizations to have a backup master key 
to be able to decrypt files with where the decryption-key / passphrase has 
been lost.

Any comments welcome.

Please reply be email as I'm not subscribed to this mailinglist.

  Andreas Bergen
Andreas Bergen
PGP/GnuPG-encrypted / -signed Email welcome. PGP-key-ID: 8CDEC18F
Gott ist Liebe, und wer in der Liebe bleibt, bleibt in Gott und Gott in ihm.

More information about the Gnupg-users mailing list