2.0.14 --gen-key interface nit
David Shaw
dshaw at jabberwocky.com
Tue Mar 23 15:27:10 CET 2010
On Mar 23, 2010, at 9:10 AM, MFPA wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi
>
>
> On Monday 22 March 2010 at 2:30:36 PM, in
> <mid:DE66FDCB-7796-45C6-A951-7B60DA26E4E3 at jabberwocky.com>, David Shaw
> wrote:
>
>> On Mar 22, 2010, at 8:48 AM, MFPA wrote:
>>> The thing that stands out to me is the lack of an
>>> option to toggle the certify capability.
>
>> That is by design, though the reason why is different
>> for primary keys and subkeys. For primary keys,
>> OpenPGP requires this. All primary keys must be able
>> to certify.
>
> Fair enough. I was thinking about the "special case" of users who
> maintain a "personal master key" to collect and issue web of trust
> signatures and to sign the "production" keys they actually use for
> encryption and signing files or email. That set-up would be
> well-served by the production keys being unable to certify.
Issuing a web of trust signature or signing production keys *are* certifications. If key couldn't certify, it couldn't even make self-sigs on itself (so no user IDs, or subkeys either)
David
More information about the Gnupg-users
mailing list