Generate digest and signature seperately

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jun 13 19:09:43 CEST 2011


On 06/13/2011 01:05 PM, Jerome Baum wrote:
> Of course, you could solve this problem by signing with a sub-key,
> which isn't meant to certify other keys. I do wonder how e.g. PGP
> would react on seeing a key certification from a sub-key.

it should depend on whether the key usage flags for the subkey (in the
subkey binding signature) include the "Certification" capability.

OpenPGP certifications issued by subkeys without the "Certification"
capability should be no more valid than any other random string of bits.

Regards.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110613/97b7afd3/attachment.pgp>


More information about the Gnupg-users mailing list