From Masterkey to subkey

[Peter Lebbing]

On 07/03/17 09:40, Bill Dangerous wrote:
> I would like today to correct my mistake without loosing my key, so I
> need to transform this master key into a subkey.

With GnuPG 2.1, I think this is easily doable. Which version of GnuPG
are you using? With the older branches, this is quite difficult.

I do however wonder why you want to do this in the first place. Your
primary key should not have the Encrypt ability in the first place, and
signature keys are easily exchanged without affecting old signatures.

Is this about the certifications you already have on your old key? You
could publish a key transition statement and ask people to re-certify.
It's not as nice as just having the old certifications work, but that
might not be desirable for other reasons.

I doubt you would benefit from earlier certifications if you started
issuing signatures with your new subkey that was formerly a primary. I
think behaviour might be unreliable. How does the recipient GnuPG know
whether it was issued by your old primary, in its capacity of the old
primary, or by your new subkey? There is nothing in a signature that
indicates this[1]. The GnuPG installation of one person might decide it
is a signature by the old primary, and award validity to it based on
certifications on the old key. A different GnuPG installation might
decide it was the subkey of the new certificate that issued the
signature, and use the validity of the new certificate. People having
both keys might see either behaviour, and might see a new behaviour when
they change something about their public keyring.

Oh, and before you benefit from keeping your primary offline, you'd have
to revoke the old key. Any GnuPG installation that concludes the
signature is by the old primary will immediately flag the signature as
BAD because it was issued after the key was revoked. This makes it even
worse.

In fact, this realization tells me another thing: you can't benefit both
from earlier certifications and from having an offline master key, it is
either-or.

> Indeed, my old master key which is now a
> subkey, has all the flags (SCEA), and I don't know how to change that. I
> would like to limit flags to SE.

Both look wrong to me. Why do you want to have the Encrypt capability on
that key, do you have that on your old primary? It is considered bad
practice to use the same key material for both encryption and
signatures, since it opens the door to some sneaky stuff that is easily
avoided by not using the same key for both. I'm not saying it is readily
exploitable and I'm not saying it is not.

> I would like first to be sure that this process of migrating a master
> key to subkey is reliable ? Am I not breaking something, that I am going
> to regret ?

It sounds like a pretty bad idea to me. I expect recipients to see
breaking signatures, and a primary key with the E capability should be
retired anyway. Don't throw the key away! You'll still need it to
decrypt things that were previously encrypted to it. But don't use it
anymore.

> Is there a way (even if hacking gpg code is needed), to change those
> subkey flags ?

Yes. Let's deal with the rest first.

HTH,

Peter.

[1] There is "Signer's User ID" which could theoretically be used to
differentiate. But this is not widely used, and I doubt it would work in
practice. The purpose is to differentiate between different user id's on
one certificate, not to differentiate between certificates.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170307/a9d33f23/attachment.sig>