Semantics of WOT and Subkeys
Damien Goutte-Gattat
dgouttegattat at incenp.org
Thu Apr 19 10:16:46 CEST 2018
Hi,
On 04/19/2018 03:12 AM, Evan Klitzke wrote:
> Later Alice learns about subkeys, so she creates a new signing subkey
> for signing her mail/git commits/whatever. How does this work when Bob
> sees the new subkey?
For most purposes, the use of subkeys is "transparent" from the user's
point of view. Users only need to be concerned about their
correspondants' master (or primary) key.
In particular :
> Does Bob/GPG treat the signing subkey to be just as trusted as Alice's master key?
Yes [1].
> From Bob's point of view, is there a difference which key
> (the master key or the subkey) Alice used when signing Carol's key?
Unless Alice played with GnuPG's source code, she can only use her
master key to sign Carol's key.
Signing a key ("certify", to use the proper term), in OpenPGP, is a
special form of signing which requires a key with the "Certify"
capability instead of the "Signing" capability. Only the master key has
that capability. As far as I know it is not possible to generate a
certification-capable subkey.
Hope that helps,
Damien
[1] Assuming the subkey is correctly bound (with correct signatures) to
Alice's master key. But this is something that not even Alice should
have to care about, this is all taken care of by GnuPG when she
generates her new subkey.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180419/67ff563a/attachment.sig>
More information about the Gnupg-users
mailing list