On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: > Hi, > > I tried to generate an RSAv4 certification-only key with GnuPG, but > failed, even in "expert mode". > > What I mean is a primary key that can be used to attach a subkey to > it, or _maybe_ also to sign UserIDs of other keys (for the Web of > Trust). But not for data signatures. As I understand the RFC, I want a > primary key with key flags 0x01 (or maybe even 0x00?).
It would be 0x01. 0x00 is not meaningful in PGP since that would mean "key with no capabilities". The standard requires that all primary keys must be able to certify. Even if the 0x01 bit is not set by the user, primary keys can certify. > But GnuPG only presents me with three "bits" to flip: > > - signature, which seems to set key flag 0x03 > - encryption, which seems to set key flag 0x0C > - authentication, which seems to set flag 0x21 > > I tried turning all three bits off, but then the key doesn't have a > key flags subpacket (packet 27) at all and seems to be treated by > GnuPG as a "everything is allowed" key. > > Is this impossible with GnuPG? Is it a bad idea? Why? Do I > misunderstand the RFC? It's not impossible - 1.4.3 (not released yet) supports certify-only keys like you want. It's not necessarily a good idea though: some people before agreeing to sign a key will ask for a signed message to prove that you "own" the secret portion of the key they are about to sign. Without the ability to sign, such a signature is hard to generate. Why do you want such a key? David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
