How trust works in gpg...

Werner Koch wk at gnupg.org
Thu Apr 17 13:00:23 CEST 2008


On Wed, 16 Apr 2008 10:57,
christoph.anton.mitterer at physik.uni-muenchen.de said:

>> What I meant are proofs based on the ability to decrypt a message.  That
>> is not going to work if you do not have an encryption subkey.
> Could you please find the time to explain this further? Why would it
> only work with an encryption subkey (or didn't you want to exclude
> encryption primary keys - I know they're not supposed to be used for

Those proofs work by sending you an encrypted message with a nonce.  You
have to decrypt it and send it back so that the sender knows that you
have access to the secret key and will then sign your key.  If you don't
have a key with encryption capability on you key, that can't work.  For
may years I used a signing only key for certifciation and I can't count
the numerous complaints, resulting from that.

>> Regarding signing challenges; they are fine as along as a signing subkey
>> is available.
> This sounds interesting.
> What would I now from a signing challenge? What is it exactly? Ask the
> peer to sign my challenge?

Right.

> Any why wouldn't it work with the primary (signing) key.

Because in my case that is off line and I would need to implement quite
some code to take the signing challenge to the secure offline box with
the primary key, sign that the challenge, copy the result back to a
networked box and send it.  Yeah, it is possible to do but it does not
make much sense to me.  A signing subkey would be easier.

> I do the same. Just out of curiosity, would you suggest that those
> certification-only primary-keys use just the "C" flag (I forgot the
> hex-code) for the key usage, to explicitly denotes "this key is only
> used for certification"?

I have no opnion on this.

> If that makes sense, it would depend on whether the RFC means with the C
> flag a general certification use (not only OpenPGP keys/UIDs) or only
> certification of OpenPGP keys/UIDs.

That's up to you.  OpenPGP does not enforce a strict meaning on
everything, so some things are vague on purpose.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gnupg-users mailing list