On Fri, 06 Jun 2003 11:28:37 -0400, Ian Grigg said:
To identify keys and their roles, we stick the following
into the keyId textual tag:
[role]
That used to be the only way during PGP 2 times. A German ISP with an
associated CA created pgp 2.63in to formalize their conventions on how
to encode more attributes in the User ID. This made it even possible
to use separate signing and encryption keys as well as expiration
dates.
In contrast OpenPGP provides a more general way to encode more
information with a key. Most notably notation data can be used
instead of tags encoded in the User ID.
(And, thinking about it some more, I can see that the issue
you might have there is that once you have your authentication
bit in place, how do you show that the key is to be used for
SSH authentication and not TLS?)
That is not the question I want to address. The problem stems from
this:
If you have more than one encryption subkey, the most useful way is to
use the newest encryption subkey which has not been created in the
future. This allows for an automatic key rollover. Although it does
not make that much sense, the scheme can also be used for signing
subkeys. To figure out what subkey to use, the implementation
computes the key capabilities from the used algorithm and the key
flags and decided on this. If you add a subkey for authentication,
this one is probably the newest one and would be used for signing -
that is probably not what you want.
Shalom-Salam,
Werner
--
Werner Koch <wk(_at_)gnupg(_dot_)org>
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org