Certification of subkeys possible?

Hauke Laging mailinglisten at hauke-laging.de
Wed Jul 14 17:31:16 CEST 2010


is it possible today (if not: how big would the chanhes to gpg or the OpenPGP 
standard have to be) to sign not only the main key and UIDs but also subkeys?

I just had a discussion about the advantages of OpenPGP and S/MIME. This seems 
to be one of the few properties of X.509 which cannot be "emulated" with gpg.

AFAIK you cannot prevent someone who generates a key on a smartcard which is 
to be certified by you to only use the smartcard if it is for gpg. He could 
create a subkey on a PC (and keep it there), certify it by the main key on the 
smartcard and a third party would put too much trust in your "this key 
certifies smartcard keys only" signature.

If it was possible to certify subkeys, too, then you would sign all keys on 
the smartcard and a third party could recognize a later generated subkey by 
the missing signature. And you could limit the capabilities by e.g. signing 
subkeys for authentication only.

This would combine the flexibility of OpenPGP with the possibility to create a 
higher level of security and trust for certain applications.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100714/cb5f85a0/attachment.pgp>

More information about the Gnupg-users mailing list