Toggle the authenticate capability

Roy A. Gilmore rag at ragged-software.com
Mon Dec 5 01:37:21 CET 2016


Hi Andrew,

I didn't think that it would actually hurt anything, but, I wasn't sure
about the internals. I'm a little bit OCD (or anal, or whatever
neo-psychobabble term applies), and having the authentication capability
on the signing key, after creating a authentication subkey just LOOKED
wrong to me, whether it is wrong, is another story...

Thank you,

Roy A. Gilmore


On 12/04/2016 03:09 PM, Andrew Gallagher wrote:
> Hi Roy,
>
> You normally don't need to remove the A capability from a signing key. By default, gnupg will use the most recently created valid subkey with the appropriate capability, so all you need to do is create a new A subkey and it will be used in preference to the old one. Mathematically, authentication is just a special case of signing, so having both S and A on a subkey does not introduce extra vulnerabilities (that we know of). 
>
> It is technically possible to change the capability flags on any key, but you can't do it with a vanilla version of the software. There is a patch somewhere in the archives of this list but I would recommend against it. The only use case where it would be necessary to remove a capability flag would be if you had created an encryption key that also had S or A capability - but it's almost impossible to do it by accident and in such cases it's safer to revoke the key and start again.
>
> Andrew Gallagher
>
>> On 4 Dec 2016, at 21:29, Roy A. Gilmore <rag at ragged-software.com> wrote:
>>
>> Hi,
>>
>> I have a keypair that was initially generated with the defaults, so the
>> signing key also has the authenticate capability enabled. I want to add
>> a separate authentication subkey for use with an OpenPGP smartcard. Is
>> there any way to turn the authenticate capability off on the signing
>> key? It doesn't sound like it should be that difficult, but I've
>> searched using several different search terms, and I can't seem to find
>> a way to do this.
>>
>> Roy A. Gilmore
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users




More information about the Gnupg-users mailing list