2.0.14 --gen-key interface nit

MFPA expires2010 at ymail.com
Tue Mar 23 14:10:03 CET 2010

Hash: SHA512


On Monday 22 March 2010 at 2:30:36 PM, in
<mid:DE66FDCB-7796-45C6-A951-7B60DA26E4E3 at jabberwocky.com>, David Shaw

> On Mar 22, 2010, at 8:48 AM, MFPA wrote:
>> The thing that stands out to me is the lack of an
>> option to toggle the certify capability.

> That is by design, though the reason why is different
> for primary keys and subkeys.  For primary keys,
> OpenPGP requires this.  All primary keys must be able
> to certify.

Fair enough. I was thinking about the "special case" of users who
maintain a "personal master key" to collect and issue web of trust
signatures and to sign the "production" keys they actually use for
encryption and signing files or email. That set-up would be
well-served by the production keys being unable to certify. Of course,
a certify-only primary key with subkeys for signing and encryption is
the more standard way to achieve essentially the same thing.

> For subkeys, the web of trust is built
> between signatures on primary keys, so a certifying
> subkey would not actually serve any purpose (signatures
> from it would be ignored).  Note there is no official
> standard web of trust document that defines this, but
> it is the convention that all current programs that use
> the web of trust adhere to.

I never thought a certifying subkey would make a lot of sense. Any way
I thought about it, a signature from such a beast would mean exactly
the same as a signature from the primary key or, in certain
situations, add confusion/ambiguity with no discernible benefit.

- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

A bird in the hand makes it awfully hard to blow your nose


More information about the Gnupg-users mailing list