Why is there a subkey and a selfsig in a new key?

Simone Cianfriglia crimer at crimer90.co.cc
Tue Nov 8 16:01:05 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Adam,

2011/11/8 Adam <adam_w67 at yahoo.com>:
> when creating a new key, gpg2 creates a selfsig and a subkey which is
> selfsiged as well.  Why does it do so?  Why not create just a plain key
> without subkey and selfsig?

gpg2 (and gpg 1 the same) by default creates a 'certificate' with two keys,
one for signing/certifying and the other for encryption. Actually, this
'certificate', composed by a master signing key and an encryption subkey,
is what is generally called 'key'.

There are some reasons behind this choice, I think the main one is because
it's safer to manage different keys for different needs. You can have only
a signing key for authenticate the messages you sent and, at the same time,
have more than one encryption key to enhance your security.
You can, for instance, revoke an encryption key if you think it's
compromised or if you want to change it because it's superseded or what
you want... while keeping working your signing one, validating what you
sign, independently.

About the self-signature:
Your 'certificate' is an association between your cryptographic keys and
your identities. The self-signature is what makes this 'magic' work, thus
binding the two in a strong and verifiable relationship.
Without it, someone could, for example, add other uids to your key without
any problem, and it could be dangerous for the whole functioning of the
web of trust.
There's also a 'key-binding signature' between your master key and your
subkeys, for the same important reason.

Hope it helps. :-)

Simone

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJOuUQnAAoJEGfVQEsGVc2ArpcP/1ZL1Wo9/GldKbremU3bMNwg
Sz3KiR8GJeyEyCz3WI7pjLy6zjrfcCzi59dQ/xvlvBseE6xvhn1DiDNhL05VebvY
IaMCH2axqGNWgTU4FGsMdmQAf9eKwwRSmOYfb6URp8219TgyDG20TzWs1lQo0Sl8
tMaHuyNUUfMW7ICFAlvZxHwddjnxnRQLW7GdpRUe45Gwb/EBK2TIYW2BHlq4L0xE
5KJi5JvjcfSgq0q2xt6umP+IXDD/bKIhciKvmmBfNGXI2jBWb9sBbKh8ll7sRRSo
+q/9r9DXnR7QE0R6y1A9LYqUtLakAcKKckGo72BuwoSfKmB/shXfAudALpGf04Oj
HdutRUFwUEneDBJDVbD2JFWIA3v0hwRHPVasDBbwS+piaZs2iVnPygwxnN7Uf0HA
NpJoYFGbh85NTzy2H58EOs06BnYMoOY6DdItldcBI9lGNmK0jlce+1vxbH6NiqS8
q3cGNDEFgb+H6ddyEsf53GcUjnjipRgNBm5jTye/p64fm05hKavjfwKCjfCnJWLr
h+U/3ozdagYrKrHBiwndkEmMLVRZw8xQJRyNyUz4oXhYbENlbxX6PjxODFGs6Tta
QK6rvAWomKAtjSz28xqzjq7UkIdahLwpraJRlSrZyh3UFrgXaUATA1z/rNg6SnAc
DOpsf6WiR6U7zsPYxtD9
=TwD5
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list