RFE: Unsignable keys
linux at codehelp.co.uk
Sat Jan 1 14:42:57 CET 2005
Request for Enhancement / Comments: GnuPG.
Would it be possible to create an --expert option to generate a key that
CANNOT be signed (under any circumstances) unless BOTH secret keys are
available? (signer has to have secret key anyway, these special keys would
also need the signee secret key in the same keyring).
$ gpg --expert-unsignable --gen-key
$ gpg --expert-verification --gen-key
This could be useful for corporate and verification keys that would then be
used to sign other keys but could only be signed by keys owned by the
original key owner. These signatures could be used to bring the key into the
WoT without allowing any of the noise that pollutes current robot /
If the PGP Global Directory Verification Key was unsignable, only those with
access to the secret key within PGP GD would be able to sign it.
Anyone else would get a telling off from GnuPG:
"This is a verification key - it cannot be verified or signed without access
to it's secret key. Your request to sign this key has been ignored."
(I haven't looked at the OpenPGP spec, it probably breaks it but as an
--expert option, GnuPG already supports other options that allow operation
outside the strict spec.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/b3205548/attachment.bin
More information about the Gnupg-users