Trying to understand the bond between master and subordinal key pairs

Michael Anders micha137 at gmx.de
Wed Feb 12 12:40:16 CET 2014 

On Wed, 2014-02-12 at 11:38 +0100, gnupg-users-request at gnupg.org wrote:
> Am Mi 12.02.2014, 07:02:51 schrieb Faru Guredo:
> 
> > This is suggested???as far as I understand???in order to keep
> > the original master key for signing in a secret place, because
> master
> > signing key = my genuine identity. But.
> 
> Signing (data) is not the relevant aspect of a mainkey. Certification 
> (i.e. signing key components) is. You can create mainkeys which are
> not 
> capable (i.e: not allowed) of signing data at all.
> 
> 
> > Which public keys should be uploaded to the keyserver?
> 
> All public keys must be available to the public. (You cannot even 
> prevent that from happening.) The public mainkey is necessary for the 
> verification that the subkeys belong to this mainkey. Furthermore it
> is 
> needed for the fingerprint check.
> 
> 
> > But what about gathering
> > signatures of other people on your own public key? Should I upload
> > public key of my master signing key along with the public key of the
> > subordinate keypair I am planning to use daily?
> 
> These two components are not related at all. These should be two 
> distinct questions.
> 
> 
> > I don?t get the bond between master keys and subordinate keys. Does
> it
> > even exist?
> 
> The mainkey binds the subkeys by signing them. Signature subkeys have
> to 
> sign the mainkey, too, in order to become valid.
> 
> OpenPGP considers signatures by a subkey as equivalent to those by a 
> mainkey. But if everyone understand what this means (and how it can
> be 
> checked) then you can use the protected mainkey for more secure 
> signatures (if you do not have a more secure other key). You can use
> it 
> for more secure encryption, too (again: If everyone involved
> understands 
> how to do that).
> 
> 
> > To me they look like totally different keys.
> 
> They are, technically. They could even be exchanged. But the OpenPGP
> key 
> format marks one as the mainkey and the other ones as subkeys.
> 
> 
> > Okay, when I
> > usually sign files with key AAAAAAAA when I send them to Alice, and
> > eventually I want to sign her key (?which of her keys, actually? The
> > one she uses daily or the one she keeps like me? If she keeps it,
> how
> > did it get to me? Which public keys supposed to collect signatures
> of
> > other people ??of the master one or newly created subordinate one?),
> > I need to use my master key BBBBBBBB. How does she know that
> BBBBBBBB
> > is also my key if they have different IDs?
> 
> That's not the way keys are used. You tell the application to use the 
> key 0xAAAAAAAA. That always refers to a mainkey. The OpenPGP
> subsystem 
> (GnuPG) then selects the appropriate key: either the mainkey of a 
> subkey. Your contacts only verify 0xAAAAAAAA. Possible subkeys are 
> verified automatically (you cannot prevent that). Signatures are
> shown 
> to be made by the mainkey.
> 
> More precise: GnuPG does show you the subkey which made the signature 
> but I don't believe any GUI does (in a way useful to beginners). You
> can 
> even force GnuPG to use a certain subkey (if technically possible) or 
> the mainkey and thus override the automatic selection. But I have
> never 
> seen a higer-level application offering that.
> 
> 
> > (Let?s assume public key of the master pair is irrelevant,
> 
> That is not a useful assumption.

I kept wondering about this too. 
Thanks a lot for the explanation of how it works.

I am still puzzled, however. Can anyone explain the logical reason as to
why we need this jungle in OpenPGP, which thankworthily is usually more
or less hidden from the user anyways? 
A good reason would help the complicated workings to stick with my
memory :-) 
Why would we need more than one key and this hierarchy on top of it?
(Proper padding according to the standard to my knowledge removes even
the dangers of using the same RSA key for signatures as well as for
ciphers.)

Is the necessity(given that it is there) for the subkey hierarchy
endemic to RSA or would such a structure also be needed for ECC or other
cryptosystems?

Cheers,
   Michael Anders

More information about the Gnupg-users mailing list