Possible bug: addkey can create certifying subkey

Werner Koch wk at gnupg.org
Tue Sep 1 09:45:49 CEST 2009

On Mon, 31 Aug 2009 19:24, jh at jameshoward.us said:
> I am not sure if this is a bug, but given the documentation it is not
> the expected behavior.  I created new keys this weekend, due to a lost
> USB drive.  Replicating it here, if you specify --expert and create a
> RSA subkey with all the options off, it will create a subkey with all
> the options, including certification turned on.  Here's a slightly

That is perfectly okay.  If you want to set the key flag for
certification on a subkey, gpg allows you to do so.  The OpenPGP
standard does not restrict this.  

Note that despite a subkey carrying this flag, OpenPGP (and thus gpg)
will always use the primary key for certification of user-ids and other
subkeys (binding signatures) and for certifying other keys (key



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list