Certification Subkey

Werner Koch wk at gnupg.org
Mon Jan 4 17:03:13 CET 2016

On Sun,  3 Jan 2016 17:25, tom at ritter.vg said:
> I'm curious about creating a subkey capable of certifying other PGP
> keys. I don't think this is disallowed by the spec (although I'm not
> certain about that).

It is not explicitly stated about self-signatures on user ids but it is
stated for key binding signatures.  Thus you might be right that it is
not disallowed.  However, allowing this would very likely violate our
security model and thus sensible implementations will only self- or
key-binding signatures done using the primary key.  The only exception I
see are Embedded Signature sub-packets (

> It's easy enough to create a subkey with the certification bit by
> hacking the source. I haven't quite gotten the signing-with-a-subkey

FWIW, recent versions of gpg allow you to enter


for a certification only key on the key capability prompt - but it is
only honored for the primary key.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list