[Enigmail] Using a subkey for signing a public key
Michael J Gruber
michaeljgruber+mozdevnews at fastmail.fm
Thu Nov 8 02:26:05 PST 2007
Tobias Rapp venit, vidit, dixit 07.11.2007 12:43:
> Hello!
>
> I am using enigmail with my private subkeys stored on an OpenPGP
> smartcard. Now I wanted to sign somebody's public key and noticed that I
> can't select my signing subkey for that in the dialog - only the main
> key is available in the drop-down list. Key signing fails then with some
> "general error" - most likely because the secret part of the main key is
> not available (it is guarded by Orks as I have followed the HOWTO in [1]
> :-).
>
> Is my thinking going into the wrong direction or is there a problem with
> enigmail/gnupg? How can I choose my signing subkey in the drop-down
> list? Do I really need the secret main key for signing other keys? I can
> sign my mails using the subkeys pretty fine.
>
> My first assumption was that it is not working because the subkey
> cross-certification is missing. Then I added the cross-certification as
> described in [2] but the problem remains.
Signing a key is different from signing a message; the former is
actually a certification, the latter a signature. Unfortunately, the
term "signing" is often used interchangeably.
You can sign a message using a signing subkey (usage: S).
There are no certification subkeys. For certification (signing others'
keys), you need a certification key (usage: C), which can only be the
primary key.
In fact, this is one reason why the certification/primary key needs to
be protected best. Also, subkeys can be revoked without revoking the
whole key.
You will have to follow comment 3 in [1], and don't forget to feed the Orks!
Michael
More information about the Enigmail
mailing list