On Dec 11, 2010, at 2:55 PM, Ben McGinnes wrote: >> You can't actually turn on or off certify (which is to sign a key - >> either your own or someone elses). In OpenPGP, the primary key can >> always certify (it may be able to encrypt/sign/authenticate as well, >> but the only strict requirement is that it must be able to certify). >> Without the ability to certify, you could never make a subkey, since >> subkeys are signed by the primary key. > > Cool. On a tangential note, could this be used as a basis for > applying a PKI/WoT model to certification of SSL keys, rather than > relying on CAs?
Yes indeed. See http://web.monkeysphere.info/ for a project using the WoT for both SSH and HTTPS. >> Once you make that primary key, you just add subkeys for whatever >> capabilities you desire. Again, the defaults are recommended (they >> are correct for virtually everyone). I'd add a sign-only subkey and >> an encrypt-only subkey. GnuPG will automatically use the subkey for >> signing over the primary key for signing. > > I assume this means that if the primary key can sign & certify, that > key will still be used to sign other keys even if there is a specific > signing subkey for messages and files. Right? Right. Since only the primary can certify, it will be automatically chosen whenever you try to sign another key. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
