Is it possible to certify (sign) a key using a subkey?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Aug 18 05:25:26 CEST 2017
On Thu 2017-08-17 19:47:16 -0500, Mario Castelán Castro wrote:
> I have chosen RSA as a “known good” algorithm for the primary key
> because if I chose a different curve or algorithm for elliptic key once
> I have the required knowledge to make an informed decision it will be
> more convenient to change only a subkey than to generate a new primary
> key. For example, I can keep the signatures (certifications) that I
> accumulate during that time on my key, supposing I have the opportunity
> to go to a signing party.
I still don't think this is a good justification, fwiw. If you think
you'll be making these certifications for other people to consume,
please do those other people a favor and just use your primary key.
The OpenPGP world has a habit of trying to make things too fancy. Keep
> Also, using a subkey for signing still has a size advantage. If you
> have, say, 5 keys signed by my ECC subkey. there will be less size
Where are you trying to save these bytes?
> Anyway, my question still stands: How can I enable the certificate
> capability on a subkey with GPG?
I don't know of a way to change usage flags on an existing subkey with
GnuPG without modifying the source.
You can add a new subkey with your chosen usage flags in --expert mode,
though. But i don't recommend it.
More information about the Gnupg-users