There are actually two public keys?

James P. Howard, II jh at
Tue May 19 19:46:58 CEST 2009

On Mon May 18 19:58:08 2009, David Shaw <dshaw at> wrote:

> Signing with a subkey has a slightly different meaning than signing with
> a primary key.  When you sign a key, you're actually signing a
> combination of the primary key and user ID that you chose to sign.  If
> you signed with a subkey, you'd lose the nice symmetry of signing with
> the thing that your friend is also signing on your key.  Rather, you'd
> be signing with something one "hop" away from that primary key, as the
> subkeys are signed by the primary.
> Perhaps a more immediate answer is that nobody ever implemented it. 
> OpenPGP itself doesn't care (OpenPGP actually doesn't specify all that
> much about trust models and the web of trust).  Historically, the web of
> trust was built between signatures between primaries, and that's what
> everyone implements today.  At one point there was talk of publishing a
> standard for the web of trust, but there didn't seem to be much interest
> in it.

This is fascinating and I need to think about that a bit.

>>  And on a divergent note, using the black
>> magic described elsewhere[1], is it bad to convert a subkey into a
>> primary key and use it to sign others?
> To do this, you have to have the key in primary key form in the (local)
> web of trust.  If you don't, then the signatures won't be used.

Well, I did succeed in doing it last night as a test.  So I guess the
bigger question, is it poor etiquette?


James P. Howard, II, MPA
jh at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090519/6f3befef/attachment-0001.pgp>

More information about the Gnupg-users mailing list