Re: Possible bug: addkey can create certifying subkey
On Mon, 31 Aug 2009 19:24, j...@jameshoward.us said: I am not sure if this is a bug, but given the documentation it is not the expected behavior. I created new keys this weekend, due to a lost USB drive. Replicating it here, if you specify --expert and create a RSA subkey with all the options off, it will create a subkey with all the options, including certification turned on. Here's a slightly That is perfectly okay. If you want to set the key flag for certification on a subkey, gpg allows you to do so. The OpenPGP standard does not restrict this. Note that despite a subkey carrying this flag, OpenPGP (and thus gpg) will always use the primary key for certification of user-ids and other subkeys (binding signatures) and for certifying other keys (key signatures). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible bug: addkey can create certifying subkey
On 09/01/2009 02:45 AM, Werner Koch wrote: On Mon, 31 Aug 2009 19:24, j...@jameshoward.us said: I am not sure if this is a bug, but given the documentation it is not the expected behavior. I created new keys this weekend, due to a lost USB drive. Replicating it here, if you specify --expert and create a RSA subkey with all the options off, it will create a subkey with all the options, including certification turned on. Here's a slightly That is perfectly okay. If you want to set the key flag for certification on a subkey, gpg allows you to do so. The OpenPGP standard does not restrict this. I think it may still be a problem that attempting to turn off all the flags has the actual effect of turning them all on instead... -Alex Mauer hawke signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible bug: addkey can create certifying subkey
On Tue Sep 01 2009 14:57:47 GMT-0400 (EST) , Alex Mauer ha...@hawkesnest.net wrote: On 09/01/2009 02:45 AM, Werner Koch wrote: On Mon, 31 Aug 2009 19:24, j...@jameshoward.us said: I am not sure if this is a bug, but given the documentation it is not the expected behavior. I created new keys this weekend, due to a lost USB drive. Replicating it here, if you specify --expert and create a RSA subkey with all the options off, it will create a subkey with all the options, including certification turned on. Here's a slightly That is perfectly okay. If you want to set the key flag for certification on a subkey, gpg allows you to do so. The OpenPGP standard does not restrict this. I think it may still be a problem that attempting to turn off all the flags has the actual effect of turning them all on instead... Well, that was kind of my point, but was also confused by the certifying subkey and may have undually dwelt on it. James -- James P. Howard, II, MPA j...@jameshoward.us signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible bug: addkey can create certifying subkey
On Tue, 1 Sep 2009 20:57, ha...@hawkesnest.net said: I think it may still be a problem that attempting to turn off all the flags has the actual effect of turning them all on instead... That is per OpenPGP: Key flags are not required and thus lacking any key flags, we need to assume all capabilities. Of course it would be possible to add an empty list of key flags (in contrast to no list). IMHO this does not make any sense thus we don't create a key flags list at all if you reset all key flags. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Possible bug: addkey can create certifying subkey
I am not sure if this is a bug, but given the documentation it is not the expected behavior. I created new keys this weekend, due to a lost USB drive. Replicating it here, if you specify --expert and create a RSA subkey with all the options off, it will create a subkey with all the options, including certification turned on. Here's a slightly edited transcript: howar...@thermopylae:~$ gpg --expert --edit 0xE6602099 Secret key is available. pub 4096R/0xE6602099 created: 2009-08-30 expires: never usage: C trust: ultimate validity: ultimate sub 2048R/0xFCB31625 created: 2009-08-30 expires: never usage: E sub 2048R/0xA40883BA created: 2009-08-30 expires: never usage: A sub 2048R/0x2C3602D7 created: 2009-08-30 expires: never usage: S sub 2048R/0x3EE4249E created: 2009-08-30 expires: never usage: S [ultimate] (1). James Patrick Howard, II Command addkey Key is protected. You need a passphrase to unlock the secret key for user: James Patrick Howard, II 4096-bit RSA key, ID 0xE6602099, created 2009-08-30 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 8 Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? e Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire n = key expires in n days nw = key expires in n weeks nm = key expires in n months ny = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. pub 4096R/0xE6602099 created: 2009-08-30 expires: never usage: C trust: ultimate validity: ultimate sub 2048R/0xFCB31625 created: 2009-08-30 expires: never usage: E sub 2048R/0xA40883BA created: 2009-08-30 expires: never usage: A sub 2048R/0x2C3602D7 created: 2009-08-30 expires: never usage: S sub 2048R/0x3EE4249E created: 2009-08-30 expires: never usage: S sub 2048R/0xB892F408 created: 2009-08-31 expires: never usage: SCEA [ultimate] (1). James Patrick Howard, II Command quit Save changes? (y/N) n Quit without saving? (y/N) y howar...@thermopylae:~$ gpg --version gpg (GnuPG/MacGPG2) 2.0.12 libgcrypt 1.4.4 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 howar...@thermopylae:~$ -- James P. Howard, II, MPA j...@jameshoward.us signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users