-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Monday 22 March 2010 at 2:30:36 PM, in <mid:de66fdcb-7796-45c6-a951-7b60da26e...@jabberwocky.com>, David Shaw wrote: > On Mar 22, 2010, at 8:48 AM, MFPA wrote: >> The thing that stands out to me is the lack of an >> option to toggle the certify capability. > That is by design, though the reason why is different > for primary keys and subkeys. For primary keys, > OpenPGP requires this. All primary keys must be able > to certify. Fair enough. I was thinking about the "special case" of users who maintain a "personal master key" to collect and issue web of trust signatures and to sign the "production" keys they actually use for encryption and signing files or email. That set-up would be well-served by the production keys being unable to certify. Of course, a certify-only primary key with subkeys for signing and encryption is the more standard way to achieve essentially the same thing. > For subkeys, the web of trust is built > between signatures on primary keys, so a certifying > subkey would not actually serve any purpose (signatures > from it would be ignored). Note there is no official > standard web of trust document that defines this, but > it is the convention that all current programs that use > the web of trust adhere to. I never thought a certifying subkey would make a lot of sense. Any way I thought about it, a signature from such a beast would mean exactly the same as a signature from the primary key or, in certain situations, add confusion/ambiguity with no discernible benefit. - -- Best regards MFPA mailto:expires2...@ymail.com A bird in the hand makes it awfully hard to blow your nose -----BEGIN PGP SIGNATURE----- iQCVAwUBS6i9raipC46tDG5pAQqFjQQAnXIV/KcgDjPct4QsNFwcawIg21fsZmLr yAO+uXViQ4Mu3GbJI4oI449sIOq+Paod2UJ3PP4Sy82jZ2+WjtZwQDy84vnpw3RR pG/0PSkMqBajM4TEsrGNYTb3MR4RBruBFNtPf96lV3gyFOuTQJ8iYSw73rwxOS47 II+a94cPGHc= =iB64 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
