On Mon, May 9, 2011 at 18:09, Hauke Laging <mailinglis...@hauke-laging.de>wrote:
> IMHO there are only two possibilities for making (a new version of) OpenPGP > signature law compatible: > > a) The CA creates a mainkey and subkeys. The mainkey is destroyed > immediately > afterwards. That might be legally acceptable but has not much in common > with > PGP any more. > > b) It is made possible to prevent the transfer of the validity of a mainkey > to > a subkey. Either my disallowing subkeys at all (in the certification) or by > requiring explicit certifications for subkeys. When certifying a key you > would > have to decide whether you make a certification of the old type (for the > mainkey and then the mainkey is allowed to do everything) or of the new > one. > This new type of certification would not be allowed to be backward > compatible. > if it was then old software might regard an explicit subkey certification > as a > normal one and thus accept subkeys without explicit certification. c) Program the smart-card so it doesn't sign sub-keys? I'm not familiar with the internals of smart-card implementations but the OpenPGP sub-key signatures are of a different type than the data signatures. The smart-card can probably recognize if it's inadvertently signing a sub-key. -- Jerome Baum tel +49-1578-8434336 email jer...@jeromebaum.com -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
