Is it possible to certify (sign) a key using a subkey?

[Leo Gaspard]

On 08/18/2017 06:33 PM, Peter Lebbing wrote:>> In my own and other
people's keyrings and in key servers.
> 
> The impact of you doing this on your own seems vanishingly small. And
> the ratio of disk space used by a public keyring versus everything else
> that is commonly on a computer isn't different. If I were looking for
> optimizations, I'd turn to processing time of a public keyring, not its
> size.

Just for the record, there seem to me like there may be another reason
for separate subkeys for certification, namely the one of security of
the masterkey.

Having a C subkey would allow to keep the masterkey entirely isolated
and to only use a diode to export C subkeys to a “keysigning machine”,
that would not compromise the masterkey by its compromise. Then, in case
of compromise of the keysigning machine, it'd be possible to revoke the
C subkey and create another one, then re-sign all the previously signed
keys with this new C subkey, all without losing the signatures on the
masterkey.

This is quite different from “airgapped computers” that use USB drives
to transit to-be-signed keys, as the USB stack in itself (or the
filesystem, or gnupg's certification operation) could be compromised;
the most obvious attack scenario being one based on badusb-like
compromising the key's firmware to make it act like a keyboard typing
the commands required to exfiltrate the masterkey.

Then, it's quite sad if C subkeys aren't widely supported, but I guess
that's another issue (and maybe it should be clearly spelled out in the
RFC whether they must be supported? especially with rfc4880bis in the
works, now could be a good time to choose)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170818/ae158580/attachment.sig>