How to restrict the usage flags for primary key-pairs in OpenPGP certificates

certificategnupgpgp

More than one time I read recommendations to use the primary key-pair in my OpenPGP certificate only to sign sub-key-pairs and not for general daily use (even to keep the private key stored on a non-network-enabled PC for additional security). I recently noticed that each key-pair in my certificate has flags which define for what purpose it must be used exclusively. As far as I understand currently (having trouble finding documentation), the process of signing sub-key-pairs would be depicted by A (for authentication).

In my newly generated certificate, my primary key-pair has the usage flags SC (signature and certification). Now it is quite easy to change these flags for sub-keys with the GnuPG command line tool, but I cannot find any way to modify the usage flags for the primary key-pair.

What I would like to be able to do, is to limit the primary key-pair to only be able to sign and revoke additional sub-key-pairs in my certificate. Can anyone tell me if this is possible and how to do it?

Best Answer

You'd need the usage flag certify C, which is required by the OpenPGP specifications anyway. Authentication A is rarely used and means you can authenticate yourself (similar to SSH key based authentication).

Yet it is not possible to change the usage flags in GnuPG (but by hacking the code). From a message by Resul Cetin on that mailing list thread:

Ok, it was quite easy to do (not clean, but it could be done in a fast and hackish way). Just searched for gnupg-1.4.9/g10/getkey.c:parse_key_usage and changed p to non-const and always set (*p) &=~2;. Afterwards I started my new compiled hackish-gpg --edit-key and set the expire of my master key. After this procedure I had only the Cert flag set. Thanks Christoph - you are my personal hero of the day :)

Related Question