RFE: Unsignable keys

David Shaw dshaw at jabberwocky.com
Sat Jan 1 18:58:36 CET 2005


On Sat, Jan 01, 2005 at 01:42:57PM +0000, Neil Williams wrote:
> Request for Enhancement / Comments: GnuPG.
> 
> Would it be possible to create an --expert option to generate a key that 
> CANNOT be signed (under any circumstances) unless BOTH secret keys are 
> available? (signer has to have secret key anyway, these special keys would 
> also need the signee secret key in the same keyring).

[..]

> This could be useful for corporate and verification keys that would then be 
> used to sign other keys but could only be signed by keys owned by the 
> original key owner. These signatures could be used to bring the key into the 
> WoT without allowing any of the noise that pollutes current robot / 
> impersonal keys.
> 
> If the PGP Global Directory Verification Key was unsignable, only those with 
> access to the secret key within PGP GD would be able to sign it.
> 
> Anyone else would get a telling off from GnuPG:
> "This is a verification key - it cannot be verified or signed without access
> to it's secret key. Your request to sign this key has been ignored."

What you suggest is not impossible, but has a number of caveats when
done as part of OpenPGP.  The signature math of OpenPGP does not cover
this sort of case, so such a flag would need to be somewhat advisory.
This isn't to say that advisory flags are useless: most things like
this in OpenPGP are advisory, and they work fairly well.

There are quite a few ways to do this, each with their plusses and
minuses, but it comes down to the interoperability question.  It would
have to be part of OpenPGP (and not GnuPG-specific) if it was to
really work, and some consideration would have to be given to what the
semantics were when an old implementation ignored the flag and signed
anyway.

David



More information about the Gnupg-users mailing list