Hi, On 04/19/2018 03:12 AM, Evan Klitzke wrote:
Later Alice learns about subkeys, so she creates a new signing subkey for signing her mail/git commits/whatever. How does this work when Bob sees the new subkey?
For most purposes, the use of subkeys is "transparent" from the user's point of view. Users only need to be concerned about their correspondants' master (or primary) key.
In particular :
Does Bob/GPG treat the signing subkey to be just as trusted as Alice's master key?
Yes [1].
From Bob's point of view, is there a difference which key (the master key or the subkey) Alice used when signing Carol's key?
Unless Alice played with GnuPG's source code, she can only use her master key to sign Carol's key.
Signing a key ("certify", to use the proper term), in OpenPGP, is a special form of signing which requires a key with the "Certify" capability instead of the "Signing" capability. Only the master key has that capability. As far as I know it is not possible to generate a certification-capable subkey.
Hope that helps, Damien[1] Assuming the subkey is correctly bound (with correct signatures) to Alice's master key. But this is something that not even Alice should have to care about, this is all taken care of by GnuPG when she generates her new subkey.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
