Generate digest and signature seperately

David Shaw dshaw at
Mon Jun 13 20:45:34 CEST 2011

On Jun 13, 2011, at 1:05 PM, Jerome Baum wrote:

>> We had a discussion about smart-card signatures here and basically the
>> issue with passing just a hash is that you can't distinguish data
>> signatures from certifications/key signatures.
> To clarify, you can't tell from the hash, and you can't really add a
> packet "I'm signing data here" vs. "I'm signing a key here". At least
> that's what I got from the discussion on smart-cards, YMMV when it
> comes to a full-blown gnupg install.
> Of course, you could solve this problem by signing with a sub-key,
> which isn't meant to certify other keys. I do wonder how e.g. PGP
> would react on seeing a key certification from a sub-key.

It effectively ignores it.  No OpenPGP program currently accepts certifications from subkeys.  The standard doesn't say yes or no on the subject, but there is no code that does it today.

Trust models aren't really dealt with in any real depth in the standard - there were discussions at one point of making a different trust model RFC for that.


More information about the Gnupg-users mailing list