-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Jun 26, 2003 at 04:56:43PM +0200, Imad R. Faiad wrote:
As I understand it, sub keys are only justified in the following
circumstances:-
1) When the public key algorithm does not support encryption (e.g. DSA).
2) In agreement with a school of thought, which recommends that
it is good practice not to use the same key for signing and
encryption.
Any other arguments beyond the above, are just eccentricities,
and will be better addressed by creating another key.
One person's eccentricity is another person's operational requirement.
OpenPGP should be flexible enough to accomodate both.
Therefore, for the sake of simplicity, please permit me to propose
that an OpenPGP key be a Master Key of an OpenPGP public key algorithm
suitable for signing, and ONE optional encryption sub key of an
OpenPGP public key algorithm suitable for encryption (and / or signing
if the owner so desires), PERIOD.
I guess I don't really see how this helps. Remember that both
multiple subkeys and signing subkeys are from 2440. These are not new
inventions in 2440bis, and are already widely supported in the field.
All versions of PGP (5+) and GnuPG support multiple subkeys. All
versions of GnuPG and PGP 8 support signing subkeys.
What is under discussion here is a simple fix for a design weakness in
signing subkeys. Forcing all v4 keys to have one and only one subkey
would effectively declare every current OpenPGP implementation
noncompliant, and even then not solve the problem at hand with
sign+encrypt subkeys.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+/E7O4mZch0nhy8kRAqrTAJwP/CHJbTIWGvyytLg5W+m6P+d3CwCeK/Vs
1xXVZNUeHnkTcqn549cflDc=
=/D3j
-----END PGP SIGNATURE-----