At 12:24 PM 6/25/2003 -0700, Hal Finney wrote:
Derek Atkins writes:
> Hmm, can subkeys have subkeys?
Subkeys, unlike David's fleas, are not presently afflicted in this way.
However, if they ever suffered such a transformation, we could probably
link each top and child key in the same way we are proposing to link
our single level of parenthood.
With a chain of N subkeys, this requires N back-signatures (so 2N total
signatures). You could do it with zero or one back-signatures. Since PGP
only has N=1, this may not be useful, but I'll point it out anyways:
An alternative to back-signatures was to include the primary key ID as a
hashed subpacket in a signature produced by the subkey. David didn't like
this for subkeys because it would have to be repeated for every signature
the subkey produced. But if you have a chain of subkeys, for every subkey
except the last, you *have* a signature that the subkey produced.
So if you added the primary key ID into subkey-on-subkey signatures, you'd
only have to do something different for the last key, such as a
back-signature, or adding the primary key ID into the signatures it produced.
On a separate point, I think subkeys having subkeys could be
useful[1]. For example, Alice is going on vacation for a month, and
doesn't want to bring her primary key. However, she doesn't want to give
her cellphone a month-long subkey, in case it gets stolen. So she issues a
month-long subkey to an online service that she trusts, and then every day
uses her cellphone to authenticate to the service and get an 8-hour subkey
under the service's subkey.
[1] http://www.imc.org/ietf-openpgp/mail-archive/msg05262.html
Trevor