Certifying other pub keys without master key

[nerdiges]

Hello,

thank you very much for the comprehensive guide.

After setting up my yubikeys successfully, I recognized, that it seems as if I need access to the master key in order to sign other public keys. Even if it is technically possible to force foreign key signing with a sub key, I seems to be quite uncommon. Thus, if I want to send encrypted mails with the mail client Evolution I I am forced to use the option "Always trust keys in my keyring when encrypting" in order to be able to send encrypted mails. Otherwise I get an error message that a trusted public key could not be found. Other option would be using the offline copy of the master key.

I totally understand that you want to keep the master offline only in order to mitigate the risk of master key compromise. But if I have to accept all public keys in order to send encrypted mails this will increase the risk, that fake keys could be used to intercept messages.

Am I missing something or is there any way to do key signing with sub keys with standard GPG GUIs such as Seahorse that are accepted by standard applications such as Evolution?

Stephan

[iandstanley]

I could be wrong here because I'm a bit tired but isn't trusting a function of the GPG software upon the keyring files and doesn't involve the master key? All it is doing is saying that I personally trust this public key to some level that I choose.

Signing other public keys is obviously a different matter as it needs a signing subkey (or an all-in-one master key) and I think a key with certify (the master key)

[espindola]

At least according to https://security.stackexchange.com/questions/153057/possible-to-sign-an-imported-key-with-a-subkey-using-gpg a subkey cannot be used for certification.

[drduh]

@espindola thanks for looking into this.