2.0.14 --gen-key interface nit

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 22 March 2010 at 2:30:36 PM, in
<mid:DE66FDCB-7796-45C6-A951-7B60DA26E4E3 at jabberwocky.com>, David Shaw
wrote:

> On Mar 22, 2010, at 8:48 AM, MFPA wrote:
>> The thing that stands out to me is the lack of an
>> option to toggle the certify capability.

> That is by design, though the reason why is different
> for primary keys and subkeys.  For primary keys,
> OpenPGP requires this.  All primary keys must be able
> to certify.

Fair enough. I was thinking about the "special case" of users who
maintain a "personal master key" to collect and issue web of trust
signatures and to sign the "production" keys they actually use for
encryption and signing files or email. That set-up would be
well-served by the production keys being unable to certify. Of course,
a certify-only primary key with subkeys for signing and encryption is
the more standard way to achieve essentially the same thing.



> For subkeys, the web of trust is built
> between signatures on primary keys, so a certifying
> subkey would not actually serve any purpose (signatures
> from it would be ignored).  Note there is no official
> standard web of trust document that defines this, but
> it is the convention that all current programs that use
> the web of trust adhere to.

I never thought a certifying subkey would make a lot of sense. Any way
I thought about it, a signature from such a beast would mean exactly
the same as a signature from the primary key or, in certain
situations, add confusion/ambiguity with no discernible benefit.


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

A bird in the hand makes it awfully hard to blow your nose
-----BEGIN PGP SIGNATURE-----

iQCVAwUBS6i9raipC46tDG5pAQqFjQQAnXIV/KcgDjPct4QsNFwcawIg21fsZmLr
yAO+uXViQ4Mu3GbJI4oI449sIOq+Paod2UJ3PP4Sy82jZ2+WjtZwQDy84vnpw3RR
pG/0PSkMqBajM4TEsrGNYTb3MR4RBruBFNtPf96lV3gyFOuTQJ8iYSw73rwxOS47
II+a94cPGHc=
=iB64
-----END PGP SIGNATURE-----