Hi all,

I just installed Kleopatra v3.1.4 on windows 10 and noticed that, while going through the "New Key Pair" wizard, the resulting primary key had an assigned usage of Encrypt,Sign while the subkey had an assigned usage of Encrypt.

Code: Select all

Name: My Name
Email Address: myname@example.com
Key Type: RSA
Key Strength: 2048 bits
Usage: Encrypt, Sign
Subkey Type: RSA
Subkey Strength: 2048 bits
Subkey Usage: Encrypt
Valid Until: Monday, November 9, 2020


On my ubuntu systems, using gpg2, the primary key by default has assigned usage of Sign,Certify:

Code: Select all

pub   rsa2048/XXXXXXXX 2017-09-14 [SC] [expires: 2020-12-31]
uid         [ultimate] My Name <my.name@example.com>
sub   rsa2048/YYYYYYYY 2017-09-14 [E] [expires: 2020-12-31]


(the [SC] in the primary key indicates usage: Sign/Certify)

This latter assignment (gpg2) seems correct to me, the former (Kleopatra) seems incorrect, at least from a best-practices point of view.

It is my understanding that the recommended usage for the primary key is to Sign and Certify, and that subkeys can then be created for encrypting, authenticating and further signing. So there appear to be two things wrong here:

• the primary key should not generally be used for encrypting.
• the same key should not be used for both signing and encrypting, as that can lead to unexpected breeches of privacy.

These concepts are laid out here https://gnupg.org/ftp/people/neal/an-advanced-introduction-to-gnupg/openpgp/openpgp.pdf as well as in other forums.

Additionally, changing primary key usage after-the-fact (after creation) doesn't appear to be a supported procedure in openpgp/gnupg based tools.

Finally, according to https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

Key-Usage: usage-list
"OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the ‘cert’ flag will be on. "

So the usage assignments seem to violate this requirement.
Is this a bug, can anyone confirm?