On 07/05/2016 09:27 PM, Karol Babioch wrote:
No, only the master key can sign other keys.Is this a limitation of GPG and my premises or is this something inherent to the OpenPGP standard?
According to the standard, any key with the "Certify" flag set can be used to sign other keys. And unless I'm mistaken, the standard does not explicitly restrict this flag to master keys only.
So, I guess it should be possible (at least in theory) to have a subkey with this flag, and to use it to sign other keys. But I don't think GnuPG allows to do that (or any other OpenPGP implementation).
Storing the master key offline and having to import it whenever I want to sign other keys might actually decrease security, since it offers enough of a possiblity to mess things up
True enough. In my case, I try to minimize the risk of human error by using a script which automatically brings the key online (from its offline USB storage), executes a single GnuPG command, then remove the key again.
If you are interested, I've written a blog post [1] in which I give an example of such a script.
Regards, Damien [1] https://incenp.org/notes/2015/using-an-offline-gnupg-master-key.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
