GnuPG 1.2 encryption key selection with authentication keys

David Shaw dshaw at jabberwocky.com
Fri Feb 11 17:04:18 CET 2005


On Fri, Feb 11, 2005 at 10:45:02AM +0000, Thomas Viehmann wrote:
> Thanks, David, for the quick answer.
> 
> David Shaw (dshaw at jabberwocky.com) wrote:
> > > Is there a way to make GnuPG 1.2 prefer the actual encryption key by
> > > default?
> > Upgrade.  This was a bug fixed in GnuPG 1.2.7.
> Unfortunately, my own upgrading won't fix the bug on the side of the encryptor
> whose preference to use old versions of GnuPG I'm not having much hope of
> influincing. Is there anything (short of revoking it) I can do to make the
> authentication less attractive to (the broken versions) of GnuPG?
> I considered manipulating the encryption key's binding signature to have a
> newer date, but my guess is that while this would work locally, I'd probably
> run into trouble with the keyservers.

Unfortunately, manipulating the binding signature by itself won't
work.  You'd have to manipulate the date field in the key itself,
since that is what is used to determine which subkey to use.  It's
probably easier to revoke that subkey and make a new one which will
also make the encryption key the most recent.

You could also revoke the authentication subkey, but then you couldn't
use it, of course.

Note that PGP (even the latest 8.1) has the same bug.  The PGP folks
have been informed and are working on it.

David



More information about the Gnupg-users mailing list