On May 22, 2014, at 1:04 PM, martijn.list <martijn.l...@gmail.com> wrote:
> According to RFC 4880 > > "For subkeys that can issue signatures, the subkey binding signature > MUST contain an Embedded Signature subpacket with a primary key binding > signature (0x19) issued by the subkey on the top-level key." > > The sub key of the following key (key ID 0549B8A5640444E6) is valid for > signing (RSA Encrypt or Sign) but it does not contain a primary key > binding signature: > > http://pgp.mit.edu/pks/lookup?search=0x0549B8A5640444E6&op=index > > Enigmail tells me that the sub key is valid for signing. It might be > that I misunderstand the requirement but it seems that in this case the > key should not be used for signing since it lacks the primary key > binding signature. I know that this requirement is relatively recent so > it might be that for this key the current behaviour is for backward > compatibility reasons. Is there some documentation on how GPG handles > signing sub keys without a valid primary key binding signature? When verifying a signature from a subkey without a 0x19 binding signature (aka "backsig"), you should get an error: WARNING: signing subkey XXXXXX is not cross-certified please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information and the signature verification will fail. If you own the key in question, you can add a backsig to it via "gpg --edit-key 0549B8A5640444E6" and then "cross-certify". David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
