Is it possible to certify (sign) a key using a subkey?

Mario Castelán Castro marioxcc.MT at yandex.com
Fri Aug 18 16:16:45 CEST 2017


On 2017-08-17 23:25 -0400 Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:
>I still don't think this is a good justification, fwiw.  If you think
>you'll be making these certifications for other people to consume,
>please do those other people a favor and just use your primary key.
>The OpenPGP world has a habit of trying to make things too fancy.  Keep
>it simple!

I really do not follow your argument (if any). Whether I sign with my
primary key or a subkey is a low level detail. There is no any additional
difficulty encountered by the user who verifies a certificate made by a
subkey, assuming he is using a capable OpenPGP implementation.

This is a low level detail that is for the most abstracted from the user by
the implementation (GNU PG), just as users need not know number theory in
order to use public key algorithms, they need not be concerned of whether
I use my primary key or a subkey for certifying.

>> Also, using a subkey for signing still has a size advantage. If you
>> have, say, 5 keys signed by my ECC subkey. there will be less size  
>
>Where are you trying to save these bytes?

In my own and other people's keyrings and in key servers.

>I don't know of a way to change usage flags on an existing subkey with
>GnuPG without modifying the source.
>
>You can add a new subkey with your chosen usage flags in --expert mode,
>though.  But i don't recommend it.

Like I said in a previous message, even using “gpg --expert
--edit-key” (GNU PG version 2.1.18 as shipped in Debian 9), I do not get
the option to toggle the certify capability when adding a new subkey, not
even if I choose the option “choose your own capabilities”.

Hmm... it looks like I will have to do some programming. This is not good.
GNU PG should already have this feature.

Regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170818/f54c9cc2/attachment-0001.sig>


More information about the Gnupg-users mailing list