Multiple Subkey Pairs

Hauke Laging mailinglisten at hauke-laging.de
Thu Mar 13 15:31:06 CET 2014


Am Do 13.03.2014, 11:44:08 schrieb Martin Behrendt:
> Hi,
> 
> I want to achieve the following:
> 1. A Master signing key
> 2. A subkey signing/enc pair for my normal machine
> 3. A subkey signing/enc pair for e.g. my mobile device

This is not possible in a useful sense and furthermore it doesn't make 
much either (in today's technical situation; this could change).

The main problem is that (in a kind of normal scenario) you don't 
control which keys other people use for encrypting data to you.

Similarly bad is the point that you make keys which are of quite 
different quality look equal. That is the opposite of what we need.

In theory this transparency could be achieved within a certificate by 
marking subkeys differently (signature notations) but today you should 
use separate certificates at any rate.


> Now the following problem arises (at least from the reading I have
> done). As I understand gpg only uses one of the encryption subkeys to
> encrypt the message. So the question is, is it possible to encrypt to
> all encryption subkeys in a key?

gpg --recipient 0xD4BC64B8\! --recipient 0x7CDBED88\! 

Not explicitly. There is no --encrypt-to-all-subkeys option.


> And if yes, is there an easy way to
> do it, so also not just me can handle that, but also the people who
> sent me encrypted mails.

I guess that would be quite complicated. I am not even aware of such a 
feature in the mail clients on the certificate level.

Unfortunately my proposal for conditional blocks in gpg.conf was 
declined... That would allow for such a feature:

"If it is an encryption operation to 0x12345678; then
encrypt-to 0xD4BC64B8\!
encrypt-to 0x7CDBED88\! 
fi"


> (And if not, does it make sense to implement
> something like this in gnupg?)

Good luck...


> And a more general question: This approach generates some overhead so
> is there maybe a way to achieve something similar more easily?

We need transparency of the security level of keys (not just in 
OpenPGP):

http://www.crypto-fuer-alle.de/wishlist/securitylevel/
(German only, sorry)


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140313/1e365dc9/attachment.sig>


More information about the Gnupg-users mailing list