Semantics of WOT and Subkeys

Evan Klitzke evan at
Thu Apr 19 04:12:39 CEST 2018

I am trying to understand the semantics of how GnuPG's WOT model 
interacts with subkeys. This is a pretty basic question, so feel free to 
direct me to existing resources if there are any; there must be 
something written on this topic already, but I failed to find anything.

Suppose Alice and Bob want to start using PGP, so they both install GPG 
and create keypairs. At this point in time they both sign each other's 
keys, meaning that they sign each other's master/certification key.

Later Alice learns about subkeys, so she creates a new signing subkey 
for signing her mail/git commits/whatever. How does this work when Bob 
sees the new subkey? Does Bob/GPG treat the signing subkey to be just as 
trusted as Alice's master key? Or is it somehow treated as less trusted, 
since it's one step away from the master key?

Similarly, let's say Carol also starts using PGP, and Alice signs 
Carol's key. From Bob's point of view, is there a difference which key 
(the master key or the subkey) Alice used when signing Carol's key?

Evan Klitzke                      pgp: 0x157EFCACBC648422
e: evan at              w:

More information about the Gnupg-users mailing list