[Top] [All Lists]

Re: Multiple encryption subkeys

2007-01-17 16:12:41
On Wednesday 17 January 2007 21:18, vedaal(_at_)hush(_dot_)com wrote:
On Wed, 17 Jan 2007 12:34:15 -0500 Hal Finney <hal(_at_)finney(_dot_)org>

Hmmm, I don't see the interop question here. Choosing which keys
encrypt to is entirely between the user and his software.

there is 'sort-of' more of an annoyance issue, rather than a
and purely an implementation one, not an issue with the rfc

Daniel Nagy writes:
The standard, as it stands right now, says nothing about dealing


multiple encryption subkeys. I think, this is something that


interoperability and thus merits a few sentences in the


GPG assumes that the one with the latest valid subkey binding

signature is

the one that should be used when encrypting to the given primary

key. I

think, this is wrong, because it makes multiple subkeys useless



gnupg allows encrypting to 'any' subkey, earlier or later,
simply by adding a ! after the keyid (by number, not name) of the
preferred subkey,

gpg -r 12345678! -e filename

the issue is that gnupg, by default, will choose the 'latest'
when the command is:

gpg -r username -e filename

(assuming, actually quite understandably, that if the key owner
went through the trouble of making a new subkey, there was probably
a good reason for it,)

now, since not everyone has this new subkey yet,
and when someone who doesn't have it yet, receives an e-mail self-
encrypted by default, to the sender's new subkey,
and if also, the sender has not yet uploaded this subkey,
and also, didn't inform the receiver of the new key,
then the receiver 'might' be confused as to why it is not encrypted
to the encrypting subkeys he/she has for that sender

other than that,
i don't see any other problem with this

the receiver has a choice to encrypt to any subkey,
any the only implementation issue,
is perhaps to make this '!' option
more clearly documented
(iirc, it's still not in the gpg manpage ;-) ),

Fresh from the gpg manpage (version 1.4.2):

Note that you can append an exclamation mark (!) to key IDs or 
fingerprints. This flag tells GnuPG to use the specified primary or 
secondary key and not to try and calculate which primary or secondary 
key to use.


Attachment: pgpMkU8D7LsJ4.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>