how to do

Michael Anders an at
Sat Jul 12 22:33:28 CEST 2014

> >Please can you elaborate on how it is incorrect to say that somebody
> >who knows the passphrase to a secret key can make changes to that key.
> >Would this maybe be the case when using an encryption subkey with an
> >offline main key?
> If you make encryption and signing subkeys you can export them (i.e. the secret subkeys), create a new gnupg home directory, 
> import the subkeys, change the password on them, and finally, export
> and distribute them to the people who are supposed to use them.
> By doing this you can have a person who manages the master key separately under another password and the authorized users can 
> use the encryption and signing secret subkeys without being able to
make changes to them....

I think we are in danger of working with different concepts of what "not
being able to" means.

On a first level, if you have read/write access to the key-file, it is
just a file and you can do pretty much anything with it.

On a second level, proper cryptographic protection may prevent you from
doing anything sensible with it, if you don't have access to the
protecting secret(e.g.the GnuPG access passphrase).

On a third level you may know the secret access key but within the small
world of a particular cryto tool (GnuPG in this case) you "cannot do".
You may sit down and code it yourself, however.

This third level of "cannot do" is usually disregarded by cryptographers
and IT-security people, yet I think this is probably the kind of "cannot
do" we are talking about here.
I have to admit I don't know much about the way the subkey structure is
organized internally in OpenPGP, so if there is some true cryptographic
protection of the subkey relationships, may someone who knows about it
please tell me. 
If there were true cryptographic protection, it would have to work
without a password. This might be very interesting crypto stuff
then :-)..

My gut feeling makes me believe this protection is impossible with
cryptographically independent keys, however, and that you could always
at least embed the exported subkey into a newly created parent key
structure and newly design whatever sub/super-key structure you like
around the exported key. 

So unless there is convincing cryptographic reasoning about why you
cannot do something to the key you have the access password to, I would
not rely on the "cannot do".

   Michael Anders

More information about the Gnupg-users mailing list