Certification-only key

Lionel Elie Mamane lionel at mamane.lu
Mon Sep 5 16:41:40 CEST 2005


I tried to generate an RSAv4 certification-only key with GnuPG, but
failed, even in "expert mode".

What I mean is a primary key that can be used to attach a subkey to
it, or _maybe_ also to sign UserIDs of other keys (for the Web of
Trust). But not for data signatures. As I understand the RFC, I want a
primary key with key flags 0x01 (or maybe even 0x00?).

But GnuPG only presents me with three "bits" to flip:

 - signature, which seems to set key flag 0x03
 - encryption, which seems to set key flag 0x0C
 - authentication, which seems to set flag 0x21

I tried turning all three bits off, but then the key doesn't have a
key flags subpacket (packet 27) at all and seems to be treated by
GnuPG as a "everything is allowed" key.

Is this impossible with GnuPG? Is it a bad idea? Why? Do I
misunderstand the RFC?

Thanks for your explanations,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050905/928cbe33/attachment.pgp

More information about the Gnupg-users mailing list