Toggle the authenticate capability

Peter Lebbing peter at
Mon Dec 5 12:18:01 CET 2016

On 05/12/16 00:09, Andrew Gallagher wrote:
> Mathematically, authentication is just a special case of
> signing, so having both S and A on a subkey does not introduce extra
> vulnerabilities (that we know of).

Mathematically, I think you're wrong, it's very vulnerable :-).
Authentication is signing the challenge sent to you by someone else,
signature is signing the data you wish to approve of in some way. So if
I can send you a challenge that would turn into a nice signature of you
authorizing a bank payment to me, that would be easy money.

However, in practice, a challenge has a different format than a data or
key signature, and they can be differentiated. This isn't math, though.
For RSA, you still do the modular exponentiation of RSA.

When I brought up the issue some time ago here, I got no response, so I
concluded it's not a problem. I was worried that some future
authentication mechanism might actually produce the same data structure
as a normal signature, but the lack of shared concern made me think it's
probably not an issue then.

> in such cases it's safer to revoke the key and start
> again.

If this is a signature /subkey/, they can be rotated willy-nilly. Expire
the current signature key, create a new one and delete the private part
of the old signature key. It doesn't need to be revoked.

Which defaults produce an authentication-capable key by the way? I don't
remember seeing that.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list