diff --git a/g10/getkey.c b/g10/getkey.c
index ce59628a0..1898acb4d 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -3090,7 +3090,8 @@ merge_selfsigs_main (ctrl_t ctrl, kbnode_t keyblock, int *r_revoked,
   if (!key_usage)
     {
       /* No key flags at all: get it from the algo.  */
-      key_usage = openpgp_pk_algo_usage (pk->pubkey_algo);
+      key_usage = (openpgp_pk_algo_usage (pk->pubkey_algo)
+                   & PUBKEY_USAGE_BASIC_MASK);
     }
   else
     {
@@ -3364,7 +3365,8 @@ merge_selfsigs_subkey (ctrl_t ctrl, kbnode_t keyblock, kbnode_t subnode)
   if (!key_usage)
     {
       /* No key flags at all: get it from the algo.  */
-      key_usage = openpgp_pk_algo_usage (subpk->pubkey_algo);
+      key_usage = (openpgp_pk_algo_usage (subpk->pubkey_algo)
+                   & PUBKEY_USAGE_BASIC_MASK);
     }
   else
     {
diff --git a/g10/packet.h b/g10/packet.h
index 39dab96c9..fba2b1423 100644
--- a/g10/packet.h
+++ b/g10/packet.h
@@ -60,6 +60,10 @@
 #define PUBKEY_USAGE_RENC    1024                /* Restricted encryption.  */
 #define PUBKEY_USAGE_TIME    2048                /* Timestamp use.  */
 
+/* The usage bits which can be derived from the algo.  */
+#define PUBKEY_USAGE_BASIC_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC\
+                                  |PUBKEY_USAGE_CERT|PUBKEY_USAGE_AUTH)
+
 /* Bitflags to convey hints on what kind of signature is created.  */
 #define SIGNHINT_KEYSIG  1
 #define SIGNHINT_SELFSIG 2