Certification-only key

David Shaw dshaw at jabberwocky.com
Mon Sep 5 22:46:46 CEST 2005 

On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote:
> On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote:
> > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote:
> 
> >> I tried to generate an RSAv4 certification-only key with GnuPG, but
> >> failed, even in "expert mode".
> 
> >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I
> >> misunderstand the RFC?
> 
> > It's not impossible - 1.4.3 (not released yet) supports certify-only
> > keys like you want.
> 
> OK, thanks.
> 
> > It's not necessarily a good idea though: some people before agreeing
> > to sign a key will ask for a signed message to prove that you "own"
> > the secret portion of the key they are about to sign.
> 
> I would obviously have at least one data-signing subkey. I presume
> these people would take a signature from such as subkey. Or decryption
> of a nonce they sent me encrypted to an encryption subkey.

They might, but really shouldn't (I wouldn't).  When you make a
certification signature on someone elses key, you're signing the
primary key plus the user ID in question.  There is no benefit in
receiving a signed challenge from any key other than the primary.

For the same reason, encryption challenges ("can you decrypt this?")
aren't usually meaningful in OpenPGP (PGP 5+, GnuPG).  Since the
object being signed is the primary key, that's the key you want to
establish ownership of.  The huge majority of primary keys in the
world today don't or can't encrypt.

> You could argue I could have this without marking the key as
> certificate-only, by never issuing data signatures with the primary
> key. That's harder on me. I have to be more cautious. Over the course
> of twenty years, I *will* screw up.

GnuPG actually makes it hard for you to screw up here.  If there is a
subkey that can sign, GnuPG will use it rather than the primary.  The
only way to get a signature (as opposed to a key certification) from
the primary is to specify its key ID explicitly with an exclamation
point.

Some people keep their primary key offline and do their regular day to
day signing and encryption with subkeys.  In that case, it's not
possible to screw up: even if you override the default by specifying
the key ID and an exclamation point, the actual key isn't there to
use.

> Now, I'm starting to wonder if I can retroactively change the
> capabilities of the key. I just have to reissue the self-signature on
> the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change
> the key flags.)

Yes.  Obviously you can't do things like turn a DSA key into an
encryption key, but you can certainly twiddle an RSA key into whatever
you like.

David

More information about the Gnupg-users mailing list