multiple subkeys and key transition

David Shaw dshaw at
Sat Dec 11 21:21:58 CET 2010

On Dec 11, 2010, at 2:55 PM, Ben McGinnes wrote:

>> You can't actually turn on or off certify (which is to sign a key -
>> either your own or someone elses).  In OpenPGP, the primary key can
>> always certify (it may be able to encrypt/sign/authenticate as well,
>> but the only strict requirement is that it must be able to certify).
>> Without the ability to certify, you could never make a subkey, since
>> subkeys are signed by the primary key.
> Cool.  On a tangential note, could this be used as a basis for
> applying a PKI/WoT model to certification of SSL keys, rather than
> relying on CAs?

Yes indeed.  See for a project using the WoT for both SSH and HTTPS.

>> Once you make that primary key, you just add subkeys for whatever
>> capabilities you desire.  Again, the defaults are recommended (they
>> are correct for virtually everyone).  I'd add a sign-only subkey and
>> an encrypt-only subkey.  GnuPG will automatically use the subkey for
>> signing over the primary key for signing.
> I assume this means that if the primary key can sign & certify, that
> key will still be used to sign other keys even if there is a specific
> signing subkey for messages and files.  Right?

Right.  Since only the primary can certify, it will be automatically chosen whenever you try to sign another key.


More information about the Gnupg-users mailing list