On Mar 23, 2010, at 9:10 AM, MFPA wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi > > > On Monday 22 March 2010 at 2:30:36 PM, in > <mid:de66fdcb-7796-45c6-a951-7b60da26e...@jabberwocky.com>, David Shaw > wrote: > >> On Mar 22, 2010, at 8:48 AM, MFPA wrote: >>> The thing that stands out to me is the lack of an >>> option to toggle the certify capability. > >> That is by design, though the reason why is different >> for primary keys and subkeys. For primary keys, >> OpenPGP requires this. All primary keys must be able >> to certify. > > Fair enough. I was thinking about the "special case" of users who > maintain a "personal master key" to collect and issue web of trust > signatures and to sign the "production" keys they actually use for > encryption and signing files or email. That set-up would be > well-served by the production keys being unable to certify.
Issuing a web of trust signature or signing production keys *are* certifications. If key couldn't certify, it couldn't even make self-sigs on itself (so no user IDs, or subkeys either) David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
