What is a GPG with "authenticate" capability used for?

GnuPG subkeys can be flagged with three kind of capabilities: Sign, Encrypt and Authenticate.

While the first two actions are widely used and documented, the authenticate action is somehow mysterious. You can make such key only using editing a primary key with the --expert option:

$ gpg --expert --edit-key 889C36B7
gpg (GnuPG/MacGPG2) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
gpg> addkey    
...                  
Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
...

There are rumors about GPG keys being used to do SSH authentication, but I haven't read or found a way to make it work. There are also a couple of unanswered question concerning [gpg] and [ssh] interaction:

Are GPG and SSH keys interchangable?

How to use gpg and SSH together?

Apart from this, I cannot find other uses for the "authentication" subkeys.

Claudio Floreani

Posted 2012-02-15T16:33:02.337

Reputation: 682

Answers

OpenPGP keys can be used for authentication in various protocols:

SSH, as bare ssh-rsa keys (monkeysphere subkey-to-ssh-agent, or smartcards)
SSH, as pgp-sign-rsa certificates (no implementations known to me)
TLS according to RFC 5081 (supported by GnuTLS)
of course, less well-known protocols and software such as gpgauth.org, Enigform, and such; they do find the "authentication" flag suitable.

user1686

Posted 2012-02-15T16:33:02.337

Reputation: 283 655

Yes "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication" is an interesting draft. But a part from that it seems that the authentication facility was added as a "bonus", but relies completely to third parties implementations. I will wait for some time to collect other answers before accepting your good one. Thanks – Claudio Floreani – 2012-02-17T17:01:53.967