On 05/22/2014 01:04 PM, martijn.list wrote:

> The sub key of the following key (key ID 0549B8A5640444E6) is valid for
> signing (RSA Encrypt or Sign) but it does not contain a primary key
> binding signature:
> 
> http://pgp.mit.edu/pks/lookup?search=0x0549B8A5640444E6&op=index

The subkey here (0xC2B1EA06E3BD3FC7) does not have any key usage flags
subpacket associated with it at all.  As a result, it looks like gpg
treats it as having all usage flags available.

> Enigmail tells me that the sub key is valid for signing. It might be
> that I misunderstand the requirement but it seems that in this case the
> key should not be used for signing since it lacks the primary key
> binding signature. I know that this requirement is relatively recent so
> it might be that for this key the current behaviour is for backward
> compatibility reasons. Is there some documentation on how GPG handles
> signing sub keys without a valid primary key binding signature?

So gnupg treats this key as though the signing usage flag is present,
but it's not yet clear to me that it's willing to accept signatures or
certifications from it in the absence of a cross-certification.

gpg(1) suggests that --require-cross-certification is the default, so
signature or certifications made by the subkey should be considered
invalid.  Do you have signature or certification made by that subkey
that you can verify with?

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to