Expanding web-of-trust with subkey

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Wed Feb 15 12:51:22 CET 2017

On 02/15/2017 04:02 AM, Didrik Nordström wrote:

> So.. Do I need access to my master key in order to expand my web of
> trust? This seems like quite a restriction.

Yes, although you can generate a local CA key to use for this purpose
for short term validity considerations used for local signatures.

For the visible WoT (i.e one others can use in their determination),
having this limited is a very good thing. And it is one of the
constructs that makes it possible to rotate subkeys due to compromise
(e.g loss of a smartcard) without needing to revoke the full primary key.

> How do you handle key management? Let's say you just want to send a
> signed and encrypted email once to someone who announced their pubkey
> over https? What type of trust would you assign?

no trust, that goes to the ability to verify third parties. Local CA and
local (non-exportable) signature

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Qui audet vincit
Who dares wins

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170215/907f8f2f/attachment.sig>

More information about the Gnupg-users mailing list