Key Signing, Subkeys

David Shaw dshaw at jabberwocky.com
Sat Sep 1 15:16:30 CEST 2007


On Sat, Sep 01, 2007 at 12:39:54PM +0200, g_k at gmx.at wrote:
> Hi!
> 
> I'm new to GnuPG and have 2 questions regarding key signing I didn't find 
> answers for in the documentation:
> 
> 1) Somebody signs my public key, and this "new version" containing
> that additional signature is uploaded to a keyserver. (Am I right so
> far?)  How do others that already had my public key before that
> signature get the new version? How do they know there is a new one?

Most people poll for updates occasionally (e.g. "gpg --refresh").
There is no notification method.

> 2) When I have a master key, and a subkey for everyday usage, I
> don't lose all the signatures on the master key if the subkey is
> revoked or expires, since the new subkey will be signed by the
> master key.

True.

> This implies using only the master key for signing.

Not necessarily true.  You can use a subkey for signing if you like.
In this usage, the master key is only used for signing other keys
(whether your own subkeys or other peoples keys).

> Now, if someone signs my master key, how will this be reflected on
> the subkey? Do I have to generate a new subkey every time someone
> signs my master key in order that the new signature affects the
> subkey?

No.  The trust calculations are between master keys and user IDs
(people don't sign a master key - they sign a master key and user ID).
Subkeys just go along for the ride.

David



More information about the Gnupg-users mailing list