[Enigmail] Signing subkey - different key id.

Charly Avital shavital at mac.com
Fri Feb 6 04:46:25 PST 2009 

ushills wrote the following on 2/6/09 5:20 AM:
> I need to see if I have done this correctly, I have created a signing
> sub-key as recommended on this mailing list to sign emails on less
> trustworthy machines without exposing my primary key.
> 
> However, when opening the email the signature does not reference my
> primary key and therefore from my perspective appears to indicate that
> the email  could be sent from someone pretending to be me with a key
> they have created themselves.
> 
> My primary key id is 0xBE7E87FD, however all signatures come across as
> 0xCA265DC6 is this how it is supposed to work.

Yes.
> I have attached my
> public key, can someone verify that this has come from the correct
> identity.

I have received no public key attached to any of your postings to this
list. Please read on.
> 
> Also, I set a different passphrase for the signing sub-key, however,
> when sending from thunderbird I have to enter the passphrase from my
> primary key not the sub-key, is this correct - it doesn't appear to be
> as I do not want any potential key logger to grab my primary key
> passphrase however I don't mind it grabbing my sub-key passphrase as I
> can revoke that sub-key and create another easily.

I believe that when signing, IF your system is using ONLY the newly
generated signing subkey, you should be required to enter the passphrase
you entered when you generated that signing subkey.

On with your postings, in order to sum them up.

> As I have created a separate signing sub key (see separate post about
> issues with this) how do I go about just creating a revocation
> certificate for the sub-key and not my primary key.

You are running a Windows platform. I don't know how to do that in
Windows, I am a Mac user.

When running MacOSX or any Linux operating system, where Terminal is
available, you use the --edit-key command, then you choose the uid of
the subkey you want to revoke, and you issue the command --gen-revoke

You'll get a proper answer from other members of this forum.

> My primary key id is 0xBE7E87FD, however all signatures come across as
> 0xCA265DC6 is this how it is supposed to work.  I have attached my
> public key, can someone verify that this has come from the correct
> identity.
> 


When I download key 0xBE7E87FD, I get:
This key may be revoked by DSA key 43501E64 [?]
pub  1024D/BE7E87FD  created: 2007-03-14  expires: never       usage: SC
                     trust: unknown       validity: full
sub  2048g/3173113E  created: 2007-03-14  expires: never       usage: E
[  full  ] (1). Web Ushills <web at ushills.co.uk>
[ unknown] (2). [jpeg image of size 3099]
[ unknown] (3)  Ian Hill <ian at ushills.co.uk>
[  full  ] (4)  Ian Hill <ianjameshill at gmail.com>
[  full  ] (5)  Ian Hill <ian.hill at turntown.co.uk>
[ revoked] (6)  Ian Hill (Work Email) <ian.hill at ayh.co.uk>
[  full  ] (7)  ushills (Secure email to ushills.co.uk)
<secure at ushills.co.uk>
[ unknown] (8)  [jpeg image of size 2408]

If your primary key is, as you indicate BE7E87FD, and if you have
created a signing subkey (that apparently would be CA265DC6), the latter
does not show in the above key as I have downloaded it (more than once)
from the keyservers.

There are two possibilities:
- you have not uploaded your new key block (after generating a signing
subkey) to the keyservers.
- if you have uploaded it, it has not yet propagated.

Did you upload your new key block to the keyservers?

I'd like to point out that:

if key BE7E87FD is your key, it was generated on 2007-03-14, it was a
"basic" 1024 bits DSA key - was the signing subkey you generated also a
1024 bits key? Apparently yes, judging from the SHA1 digest that shows
in your in-line signed e-mail. Did you cross-certify your newly
generated signing subkey?

You are still running gpg 1.4.7. Let me suggest that you update your
system to gpg 1.4.9, that is the current stable release.

Best of lucks.
Charly
MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 -
GPG2 2.0.10 - Thunderbird 2.0.0.19 - Enigmail 0.95.7 (Testing Shredder
3.0b2pre+EM 0.96a+)- Apple's Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA

More information about the Enigmail mailing list