2.0.14 --gen-key interface nit

David Shaw dshaw at jabberwocky.com
Tue Mar 23 15:27:10 CET 2010

On Mar 23, 2010, at 9:10 AM, MFPA wrote:

> Hash: SHA512
> Hi
> On Monday 22 March 2010 at 2:30:36 PM, in
> <mid:DE66FDCB-7796-45C6-A951-7B60DA26E4E3 at jabberwocky.com>, David Shaw
> wrote:
>> On Mar 22, 2010, at 8:48 AM, MFPA wrote:
>>> The thing that stands out to me is the lack of an
>>> option to toggle the certify capability.
>> That is by design, though the reason why is different
>> for primary keys and subkeys.  For primary keys,
>> OpenPGP requires this.  All primary keys must be able
>> to certify.
> Fair enough. I was thinking about the "special case" of users who
> maintain a "personal master key" to collect and issue web of trust
> signatures and to sign the "production" keys they actually use for
> encryption and signing files or email. That set-up would be
> well-served by the production keys being unable to certify.

Issuing a web of trust signature or signing production keys *are* certifications.  If key couldn't certify, it couldn't even make self-sigs on itself (so no user IDs, or subkeys either)


More information about the Gnupg-users mailing list