Certification of subkeys possible?
mailinglisten at hauke-laging.de
Wed Jul 14 17:31:16 CEST 2010
is it possible today (if not: how big would the chanhes to gpg or the OpenPGP
standard have to be) to sign not only the main key and UIDs but also subkeys?
I just had a discussion about the advantages of OpenPGP and S/MIME. This seems
to be one of the few properties of X.509 which cannot be "emulated" with gpg.
AFAIK you cannot prevent someone who generates a key on a smartcard which is
to be certified by you to only use the smartcard if it is for gpg. He could
create a subkey on a PC (and keep it there), certify it by the main key on the
smartcard and a third party would put too much trust in your "this key
certifies smartcard keys only" signature.
If it was possible to certify subkeys, too, then you would sign all keys on
the smartcard and a third party could recognize a later generated subkey by
the missing signature. And you could limit the capabilities by e.g. signing
subkeys for authentication only.
This would combine the flexibility of OpenPGP with the possibility to create a
higher level of security and trust for certain applications.
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users