Is it possible to certify (sign) a key using a subkey?

Peter Lebbing peter at
Fri Aug 18 18:33:47 CEST 2017

On 18/08/17 16:16, Mario Castelán Castro wrote:
> I really do not follow your argument (if any).

Since making certifications using subkeys is extremely uncommon, there's
a good chance people will encounter issues when checking such a
certification. Since the purpose of a public certification is for other
people, not you, to check it, you are not doing them a service.

> In my own and other people's keyrings and in key servers.

The impact of you doing this on your own seems vanishingly small. And
the ratio of disk space used by a public keyring versus everything else
that is commonly on a computer isn't different. If I were looking for
optimizations, I'd turn to processing time of a public keyring, not its

> GNU PG should already have this feature.

I disagree. The de facto standard is that certifications are issued by
the primary, even if this might not be encoded in the RFC (I didn't
check, though). You could create an ECC primary if you really want to
issue certifications with ECC. Do note that there are many OpenPGP
clients that do not support ECC yet.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170818/a8962259/attachment.sig>

More information about the Gnupg-users mailing list