Semantics of WOT and Subkeys

Damien Goutte-Gattat dgouttegattat at
Thu Apr 19 10:16:46 CEST 2018


On 04/19/2018 03:12 AM, Evan Klitzke wrote:
> Later Alice learns about subkeys, so she creates a new signing subkey 
> for signing her mail/git commits/whatever. How does this work when Bob 
> sees the new subkey?

For most purposes, the use of subkeys is "transparent" from the user's 
point of view. Users only need to be concerned about their 
correspondants' master (or primary) key.

In particular :

> Does Bob/GPG treat the signing subkey to be just as trusted as Alice's master key?

Yes [1].

> From Bob's point of view, is there a difference which key 
> (the master key or the subkey) Alice used when signing Carol's key?

Unless Alice played with GnuPG's source code, she can only use her 
master key to sign Carol's key.

Signing a key ("certify", to use the proper term), in OpenPGP, is a 
special form of signing which requires a key with the "Certify" 
capability instead of the "Signing" capability. Only the master key has 
that capability. As far as I know it is not possible to generate a 
certification-capable subkey.

Hope that helps,


[1] Assuming the subkey is correctly bound (with correct signatures) to 
Alice's master key. But this is something that not even Alice should 
have to care about, this is all taken care of by GnuPG when she 
generates her new subkey.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list