more bikeshedding about offline primary keys & auth subkeys

David Shaw dshaw at
Wed Jun 25 20:30:18 CEST 2014

On Jun 25, 2014, at 1:53 PM, Jérôme Pinguet <jerome at> wrote:

> Hello!
> Thanks to Werner, I learned a new english word today: bikeshedding! :-)
> This guide
> suggests
> creating a subkey with authentication capability. Most other sources
> stress the fact that the primary key and the offline computer must be
> used to authenticate other people's public keys.
> I'm at a loss.
> Can I use an RSA subkey with autentication capability (and cross
> certified) to authenticate other people's public keys, will it be
> recognized by sks key servers and used in the web of trust?
> Or do I have to use the primary key?

I think the confusion here is with the term "authenticate".  The ability to sign someone else's key is to "certify".  To "authenticate" is to prove your identity (for example, using an OpenPGP keys for ssh).  You can only certify with a primary key, and all primary keys are capable of certification (you literally can't turn the ability off).  Authentication is a different capability.


More information about the Gnupg-users mailing list