One other point, although I hesitate to mention it, is that we could
consider using this sign-the-topkey trick for encryption subkeys as well
as signature subkeys. Now, there are two immediate objections to this.
First, as discussed earlier, the fraud does not seem nearly as serious
for encryption subkeys, amounting to tricking someone into encrypting
a message to someone else's key instead of your own. And second, it
seems impossible anyway, as encryption subkeys can't issue signatures,
so they can't sign the top level key.
However, the impossibility is actually not so bad: RSA encryption subkeys
can issue signatures just fine, even if they don't usually do so; and the
same with ElGamal encryption subkeys. We have loaded up the spec with
warnings about ElGamal signatures, but in fact those warnings mostly
relate to chosen plaintext attacks. In this case it is the key owner
who is choosing what to sign, hence those attacks don't apply. It should
be perfectly safe for an ElGamal or RSA encryption subkey to issue an
appropriate signature on its top-level key.
The first objection still holds, that all this work may not be worth it
(and it is a lot of work for those implementations which don't support
ElGamal signatures) since we don't seem to be able to come up with
much of a fraud by putting someone else's subkey under your own topkey.
Nevertheless there is considerable appeal to being able to verify that
all master-slave key-to-key relationships were fully consensual.
Hal Finney