Hello, is it possible today (if not: how big would the chanhes to gpg or the OpenPGP standard have to be) to sign not only the main key and UIDs but also subkeys?
I just had a discussion about the advantages of OpenPGP and S/MIME. This seems to be one of the few properties of X.509 which cannot be "emulated" with gpg. AFAIK you cannot prevent someone who generates a key on a smartcard which is to be certified by you to only use the smartcard if it is for gpg. He could create a subkey on a PC (and keep it there), certify it by the main key on the smartcard and a third party would put too much trust in your "this key certifies smartcard keys only" signature. If it was possible to certify subkeys, too, then you would sign all keys on the smartcard and a third party could recognize a later generated subkey by the missing signature. And you could limit the capabilities by e.g. signing subkeys for authentication only. This would combine the flexibility of OpenPGP with the possibility to create a higher level of security and trust for certain applications. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
