tom at ritter.vg
Sun Jan 3 17:25:19 CET 2016
I'm curious about creating a subkey capable of certifying other PGP
keys. I don't think this is disallowed by the spec (although I'm not
certain about that).
It's easy enough to create a subkey with the certification bit by
hacking the source. I haven't quite gotten the signing-with-a-subkey
component working, but it's obviously possible. The signer would need
the custom version of gpg, but that's easy.
I know it goes against the standard practice model of OpenPGP, but
short of replicating a x509 hierarchy in OpenPGP (which would not work
well, due to requiring clients to download the 'intermediate' keys for
'leaf' verification) - this seems like my best bet at the moment...
What I'm mostly interested in it _verifying_ signatures made with a
subkey. Has anyone attempted this before, and know if default gpg
and/or other tools completely choke on this? It obviously wouldn't be
worth attempting if no one could verify the signatures.
More information about the Gnupg-users