[2] How can you create a subkey that can be added to a PGPSecretKeyRing ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[2] How can you create a subkey that can be added to a PGPSecretKeyRing ?

Denis BEURIVE

Hello,

Finally, this is the most elegant way I found for creating a subkey designed to be added to a keyring: I use an intermediate keyring generator.

Let's say that:

  • we want to generate a subkey for the keyring "KR".
  • the master key of the "KR" keyring is "MK".
kr-before.png
First, we initialize a keyring generator (let's call it "KRG") with 2 key pairs:
  • the first key pair is built using "MK".
  • the second key pair is generated (using a key pai generator).

Then, we generate a temporary keyring (let's call it "TKR") using the previously created keyring generator ("KRG"). "TKR" contains:

  • the master key "MK".
  • the new subkey, designed to be added to "KR". Let's call this subkey "SBK".
kr-middle.png
Finally, we extract "SBK" from "TKR" and we add it to "KR".

kr-after.png

It works. However, I wonder : can you create a subkey without the use of a keyring generator ?

Regards,

Denis





Reply | Threaded
Open this post in threaded view
|

Re: [2] How can you create a subkey that can be added to a PGPSecretKeyRing ?

David Hook-3

I really had to think about this one.

So, yes, that's probably the most elegant way of doing it at the moment. The issue is really around the need for the sub-key to be signed.

Looking at it I think what we've missed is that the subkey binding signature is only added to subkeys so should go into subsigsĀ  (so converting what might be a master key to a subkey). In the case of a signing subkey there should also be a check for the for an embedded signature subpacket containing a primary key binding signature if the subkey is also a signing key.

I think we can simplify this further. Sort of. Will have a bit more of a think.

Regards,

David

On 25/5/20 5:45 am, Denis BEURIVE wrote:

Hello,

Finally, this is the most elegant way I found for creating a subkey designed to be added to a keyring: I use an intermediate keyring generator.

Let's say that:

  • we want to generate a subkey for the keyring "KR".
  • the master key of the "KR" keyring is "MK".
kr-before.png
First, we initialize a keyring generator (let's call it "KRG") with 2 key pairs:
  • the first key pair is built using "MK".
  • the second key pair is generated (using a key pai generator).

Then, we generate a temporary keyring (let's call it "TKR") using the previously created keyring generator ("KRG"). "TKR" contains:

  • the master key "MK".
  • the new subkey, designed to be added to "KR". Let's call this subkey "SBK".
kr-middle.png
Finally, we extract "SBK" from "TKR" and we add it to "KR".

kr-after.png

It works. However, I wonder : can you create a subkey without the use of a keyring generator ?

Regards,

Denis