Local-signing without (offline) private master key

André Colomb andre at colomb.de
Mon Sep 12 11:04:24 CEST 2016

Hi all,

this is my first post to GnuPG-users, please be gentle :-)

My OpenPGP setup currently includes an offline master key (see attached
public key) with three subkeys on a Yubikey USB "smartcard". Amongst
them is a signing subkey with "usage: S" flag, but only the master key
has the Certify capability (usage: SC).

Now I want to import someone else's key to verify a signature. In order
to verify that signature, I need to at least locally sign the owner's
key, AFAIK. However, I would need my offline master key (read: really
inconvenient) to issue a signature.

What is the recommended practice if I only want to verify message
integrity, but don't have the master key with Certify ability available?

One solution that comes to mind would be to add a new certification
subkey that I keep on my machine instead of the smartcard, and only use
it for local signatures. Would that make sense or what complications
should I expect?

Building a Web of Trust with an offline master key seems rather
difficult, even just to verify incoming emails. Maybe the upcoming TOFU
trust model would help my usage pattern?

Thanks for any pointers or explanation.

Kind regards,
From: André Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9F45D0FB.asc
Type: application/pgp-keys
Size: 5371 bytes
Desc: not available
URL: </pipermail/attachments/20160912/d887f110/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/d887f110/attachment-0001.sig>

More information about the Gnupg-users mailing list