2.0.14 --gen-key interface nit
expires2010 at ymail.com
Tue Mar 23 14:10:03 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 22 March 2010 at 2:30:36 PM, in
<mid:DE66FDCB-7796-45C6-A951-7B60DA26E4E3 at jabberwocky.com>, David Shaw
> On Mar 22, 2010, at 8:48 AM, MFPA wrote:
>> The thing that stands out to me is the lack of an
>> option to toggle the certify capability.
> That is by design, though the reason why is different
> for primary keys and subkeys. For primary keys,
> OpenPGP requires this. All primary keys must be able
> to certify.
Fair enough. I was thinking about the "special case" of users who
maintain a "personal master key" to collect and issue web of trust
signatures and to sign the "production" keys they actually use for
encryption and signing files or email. That set-up would be
well-served by the production keys being unable to certify. Of course,
a certify-only primary key with subkeys for signing and encryption is
the more standard way to achieve essentially the same thing.
> For subkeys, the web of trust is built
> between signatures on primary keys, so a certifying
> subkey would not actually serve any purpose (signatures
> from it would be ignored). Note there is no official
> standard web of trust document that defines this, but
> it is the convention that all current programs that use
> the web of trust adhere to.
I never thought a certifying subkey would make a lot of sense. Any way
I thought about it, a signature from such a beast would mean exactly
the same as a signature from the primary key or, in certain
situations, add confusion/ambiguity with no discernible benefit.
MFPA mailto:expires2010 at ymail.com
A bird in the hand makes it awfully hard to blow your nose
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users