[Top] [All Lists]

Re: Multiple encryption subkeys

2007-01-17 13:37:24

On Wed, 17 Jan 2007 12:34:15 -0500 Hal Finney <hal(_at_)finney(_dot_)org> 

Hmmm, I don't see the interop question here. Choosing which keys 
encrypt to is entirely between the user and his software. 

there is 'sort-of' more of an annoyance issue, rather than a 
and purely an implementation one, not an issue with the rfc

Daniel Nagy writes:
The standard, as it stands right now, says nothing about dealing 
multiple encryption subkeys. I think, this is something that 
interoperability and thus merits a few sentences in the 

GPG assumes that the one with the latest valid subkey binding 
signature is
the one that should be used when encrypting to the given primary 
key. I
think, this is wrong, because it makes multiple subkeys useless 

gnupg allows encrypting to 'any' subkey, earlier or later,
simply by adding a ! after the keyid (by number, not name) of the 
preferred subkey,

gpg -r 12345678! -e filename

the issue is that gnupg, by default, will choose the 'latest' 
when the command is:

gpg -r username -e filename

(assuming, actually quite understandably, that if the key owner 
went through the trouble of making a new subkey, there was probably 
a good reason for it,)

now, since not everyone has this new subkey yet,
and when someone who doesn't have it yet, receives an e-mail self-
encrypted by default, to the sender's new subkey,
and if also, the sender has not yet uploaded this subkey,
and also, didn't inform the receiver of the new key,
then the receiver 'might' be confused as to why it is not encrypted 
to the encrypting subkeys he/she has for that sender

other than that,
i don't see any other problem with this

the receiver has a choice to encrypt to any subkey,
any the only implementation issue, 
is perhaps to make this '!' option 
more clearly documented 
(iirc, it's still not in the gpg manpage ;-) ),
when encrypting by username,
for gnupg to prompt:
'select subkey'  (and list the keys, sizes, and creation dates)

either way, 
an 'implementation' issue.


Concerned about your privacy? Instantly send FREE secure email, no account 

Get the best prices on SSL certificates from Hushmail

<Prev in Thread] Current Thread [Next in Thread>