openpgp + subkeys

Nikos Mavrogiannopoulos nmav at
Wed Jan 16 18:06:15 CET 2008

I've been working a bit lately on the openpgp support of gnutls. The planned 
changes are:
1. To handle subkeys
2. To list/generate keyrings using certtool
3. To list openpgp certificates/keys using certtool

The first is partially completed. However I've come across a limitation of the 
current protocol for openpgp keys (rfc5081). It seems currently there is no 
way to indicate to the peer which subkey to use, thus always the primary key 
has to be used.

Moreover it states that the key has to be marked for authentication, but it 
seems there is no way to arbitrarily mark a public key with gpg (or I 
couldn't find it).

For this reason now on the stable release we always use the primary key and 
ignore the flags of the public keys. 

On the development release I plan to implement a subkey negotiation -by 
sending a keyid at the initial hello messages to indicate the (sub)key that 
will be used during this handshake. 

I was also investigating to using the first subkey with authentication flag 
set, but it seems this approach is not that optimal. Other subkeys might be 
present and the selection of the first seems arbitrary. Thus I'm most in 
favour of the first solution.

What do you think? Any other ideas or comments?


More information about the Gnutls-devel mailing list