> >Please can you elaborate on how it is incorrect to say that somebody > >who knows the passphrase to a secret key can make changes to that key. > >Would this maybe be the case when using an encryption subkey with an > >offline main key? > > If you make encryption and signing subkeys you can export them (i.e. the > secret subkeys), create a new gnupg home directory, > import the subkeys, change the password on them, and finally, export > and distribute them to the people who are supposed to use them. > By doing this you can have a person who manages the master key separately > under another password and the authorized users can > use the encryption and signing secret subkeys without being able to make changes to them....
I think we are in danger of working with different concepts of what "not being able to" means. On a first level, if you have read/write access to the key-file, it is just a file and you can do pretty much anything with it. On a second level, proper cryptographic protection may prevent you from doing anything sensible with it, if you don't have access to the protecting secret(e.g.the GnuPG access passphrase). On a third level you may know the secret access key but within the small world of a particular cryto tool (GnuPG in this case) you "cannot do". You may sit down and code it yourself, however. This third level of "cannot do" is usually disregarded by cryptographers and IT-security people, yet I think this is probably the kind of "cannot do" we are talking about here. I have to admit I don't know much about the way the subkey structure is organized internally in OpenPGP, so if there is some true cryptographic protection of the subkey relationships, may someone who knows about it please tell me. If there were true cryptographic protection, it would have to work without a password. This might be very interesting crypto stuff then :-).. My gut feeling makes me believe this protection is impossible with cryptographically independent keys, however, and that you could always at least embed the exported subkey into a newly created parent key structure and newly design whatever sub/super-key structure you like around the exported key. So unless there is convincing cryptographic reasoning about why you cannot do something to the key you have the access password to, I would not rely on the "cannot do". Regards, Michael Anders _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
