Frage zu User‐Id und Notations des Signierenden in der Fremdsignatur eines signierten User‐Ids

Friedhelm Waitzmann gnupgmlde.fwnsp at xoxy.net
Sa Mai 12 07:41:52 CEST 2018


Liebe Experten!

Gegeben: 

(1) GnuPG‐Fassung:

   gpg (GnuPG) 2.0.14
   libgcrypt 1.4.5
   Copyright (C) 2009 Free Software Foundation, Inc.
   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.

   Home: ~/.gnupg
   Supported algorithms:
   Pubkey: RSA, ELG, DSA
   Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
   Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
   Compression: Uncompressed, ZIP, ZLIB, BZIP2

(2) ein Zertifikat mit dem primary User-Id »AAAAA« und weiteren
User‐Ids »AAA 1« und »AAA 2«, denen jeweils ein Notation
beigefügt ist:

   $ gpg2 --no-options --list-options=show-notations --list-sigs -- AAAAA
   pub    512D/4F2816D5 2018-05-11 [expires: 2018-06-10]
   uid                  AAAAA
   sig 3        4F2816D5 2018-05-11  AAAAA
   uid                  AAA 1
   sig 3    N   4F2816D5 2018-05-11  AAAAA
      Signature notation: notation at example.com=AAA 1
   uid                  AAA 2
   sig 3    N   4F2816D5 2018-05-11  AAAAA
      Signature notation: notation at example.com=AAA 2

(3) ein Zertifikat mit User‐Id »BBBBB«:

   $ gpg2 --no-options --list-options=show-notations --list-sigs -- =BBBBB
   pub    512D/21DA1E53 2018-05-11 [expires: 2018-06-10]
   uid                  BBBBB
   sig 3        21DA1E53 2018-05-11  BBBBB

(4) ein Zertifikat mit User‐Id »CCCCC«:

+ gpg2 --no-options --list-options=show-notations --list-sigs -- =CCCCC
pub    512D/9D091044 2018-05-11 [expires: 2018-06-10]
uid                  CCCCC
sig 3        9D091044 2018-05-11  CCCCC


Wer das Folgende mit meinen Schlüsseln nachvollziehen will, kann
die beiden Attachments »public key block« und »private key block«
importieren.

Jetzt wird das User‐Id »BBBBB« mit dem User‐Id »AAA 1« signiert:

% gpg2 --no-options --default-cert-level 3 -u '=AAA 1' --edit-key -- =BBBBB
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:	9  signed:  11	trust: 0-, 0q, 0n, 0m, 0f, 9u
gpg: depth: 1  valid:  11  signed:   1	trust: 4-, 0q, 0n, 5m, 2f, 0u
gpg: next trustdb check due at 2018-06-10
pub   512D/21DA1E53  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: unknown	  validity: unknown
[ unknown] (1). BBBBB

Command> sign

pub   512D/21DA1E53  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: unknown	  validity: unknown
 Primary key fingerprint: E313 C740 E39A F6F9 A614  B663 D86E 2055 21DA 1E53

     BBBBB

This key is due to expire on 2018-06-10.
Are you sure that you want to sign this key with your
key "AAAAA" (4F2816D5)

I have checked this key very carefully.

Really sign? (y/N) y

Command> save
%

Jetzt würde ich erwarten, dass in der an das User‐Id »BBBBB«
hinzugefügten Signatur das User‐Id »AAA 1« und dazu
das an »AAA 1« angefügte Notation »notation at example.com=AAA 1«
genannt ist.  Jedenfalls legen die im GnuPG‐Handbuch
beschriebenen Platzhalter »%k« usw. nahe, dass ein zu einem
User‐Id (hier »AAA 1« und »AAA 2«) angefügte Notation beim
Signieren wirksam wird.  Das ist aber nicht der Fall:  Weder das
User‐Id »AAA 1« noch das dazu gehörende Notation werden gezeigt.

% gpg2 --no-options --list-options show-notations --list-sigs =BBBBB
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   9  signed:  12  trust: 0-, 0q, 0n, 0m, 0f, 9u
gpg: depth: 1  valid:  12  signed:   1  trust: 5-, 0q, 0n, 5m, 2f, 0u
gpg: next trustdb check due at 2018-06-10
pub    512D/21DA1E53 2018-05-11 [expires: 2018-06-10]
uid                  BBBBB
sig 3        21DA1E53 2018-05-11  BBBBB
sig 3        4F2816D5 2018-05-11  AAAAA
%

--list-packets zeigt es auch:

% gpg2 --no-options -a --export -- =BBBBB | gpg2 --list-packets
:public key packet:
	version 4, algo 17, created 1526065043, expires 0
	pkey[0]: [512 bits]
	pkey[1]: [160 bits]
	pkey[2]: [510 bits]
	pkey[3]: [511 bits]
	keyid: D86E205521DA1E53
:user ID packet: "BBBBB"
:signature packet: algo 17, keyid D86E205521DA1E53
	version 4, created 1526065043, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 0e 98
	hashed subpkt 2 len 4 (sig created 2018-05-11)
	hashed subpkt 27 len 1 (key flags: 01)
	hashed subpkt 9 len 4 (key expires after 30d0h0m)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (key server preferences: 80)
	subpkt 16 len 8 (issuer key ID D86E205521DA1E53)
	data: [158 bits]
	data: [160 bits]
:signature packet: algo 17, keyid A80BE4124F2816D5
	version 4, created 1526080250, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 4e 40
	hashed subpkt 2 len 4 (sig created 2018-05-11)
	subpkt 16 len 8 (issuer key ID A80BE4124F2816D5)
	data: [157 bits]
	data: [160 bits]
%

Verstehe ich in RFC 2440 Abschnitt 5.2.3.15. Notation Data
(<https://tools.ietf.org/html/rfc2440#section-5.2.3.15>)

   »This subpacket describes a "notation" on the signature that
   the issuer wishes to make.«

und Abschnitt 5.2.3.21. Signer's User ID
(<https://tools.ietf.org/html/rfc2440#section-5.2.3.21>)

   »This subpacket allows a keyholder to state which user id is
   responsible for the signing. Many keyholders use a single key
   for different purposes, such as business communications as
   well as personal communications. This subpacket allows such a
   keyholder to state which of their roles is making a
   signature.«

falsch, oder mache ich etwas falsch, oder handelt es sich um eine
Funktionslücke von GnuPG?

Wenn nachträglich das User‐Id »AAA 2« zum primary User‐Id gemacht
wird, ändert sich in der Darstellung der Signaturliste von
»BBBBB« in der Fremdsignatur das User‐Id von »AAAAA« nach »AAA
2«:

% gpg2 --no-options --edit-key =AAAAA
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1). AAAAA
[ultimate] (2)	AAA 1
[ultimate] (3)	AAA 2

Command> uid 3

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1). AAAAA
[ultimate] (2)	AAA 1
[ultimate] (3)* AAA 2

Command> primary

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1)	AAAAA
[ultimate] (2)	AAA 1
[ultimate] (3)* AAA 2

Command> save
%

Signaturliste von »BBBBB« zeigen:

% gpg2 --no-options --list-options show-notations --list-sigs =BBBBB
pub    512D/21DA1E53 2018-05-11 [expires: 2018-06-10]
uid		     BBBBB
sig 3	     21DA1E53 2018-05-11  BBBBB
sig 3	     4F2816D5 2018-05-11  AAA 2

%

Und während eines Signiervorgangs spielt das primary User‐Id auch
keine Rolle:

»CCCCC« mit »AAAAA« signieren:

% gpg2 --no-options --default-cert-level 3 -u =AAAAA --edit-key =CCCCC
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub   512D/9D091044  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1). CCCCC

Command> sign

pub   512D/9D091044  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
 Primary key fingerprint: 1E8D 3D3A ECE0 E087 4071  F20B D9F9 0312 9D09 1044

     CCCCC

This key is due to expire on 2018-06-10.
Are you sure that you want to sign this key with your
key "AAA 2" (4F2816D5)

I have checked this key very carefully.

Really sign? (y/N) y

Command> save
% gpg2 --no-options --list-options show-notations --list-sigs -- =CCCCC
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:	9  signed:  12	trust: 0-, 0q, 0n, 0m, 0f, 9u
gpg: depth: 1  valid:  12  signed:   1	trust: 5-, 0q, 0n, 5m, 2f, 0u
gpg: next trustdb check due at 2018-06-10
pub    512D/9D091044 2018-05-11 [expires: 2018-06-10]
uid		     CCCCC
sig 3	     9D091044 2018-05-11  CCCCC
sig 3	     4F2816D5 2018-05-12  AAA 2

%


Wieder =AAAAA zum primary User‐Id machen:

% gpg2 --no-options --edit-key =AAAAA
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1). AAA 2
[ultimate] (2)	AAAAA
[ultimate] (3)	AAA 1

Command> uid 2

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1). AAA 2
[ultimate] (2)* AAAAA
[ultimate] (3)	AAA 1

Command> primary

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1)	AAA 2
[ultimate] (2)* AAAAA
[ultimate] (3)	AAA 1

Command> uid 0

pub   512D/4F2816D5  created: 2018-05-11  expires: 2018-06-10  usage: C
		     trust: ultimate	  validity: ultimate
[ultimate] (1)	AAA 2
[ultimate] (2). AAAAA
[ultimate] (3)	AAA 1

Command> save


»CCCCC« zeigen:  In der Fremdsignatur wird »AAAAA« gelistet:

$ gpg2 --no-options --list-options show-notations --list-sigs-- =CCCCC
pub    512D/9D091044 2018-05-11 [expires: 2018-06-10]
uid		     CCCCC
sig 3	     9D091044 2018-05-11  CCCCC
sig 3	     4F2816D5 2018-05-12  AAAAA

%

Ich hatte eigentlich erwartet, dass es von Belang ist, welches
von verschiedenen User‐Ids man beim Signieren mit »-u« angibt,
oder wenigstens, welches User‐Id beim Signieren gerade primary
ist.


Friedhelm
-------------- nächster Teil --------------
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

lPsEWvXjZhECANg+4kpvcYcK7yKSfdnn6OZQNFODJeCQLczIiHBnTaiIgfIOpuOY
xnOMj8pIF724usooTB930O1+aNf0HZZvCycAoKGrkKf+y+Vmi83pvb0alEhnSm9/
AgCJKqxwTJUAES552vf/ogTFJn95ZPy9W4X46XS8ZoXFqa5YWSlP/I9eiFxHc9wE
F64T4uFP460q0+ooKOtyMklrAgCdQSJOm42q/QlWbTl9rJgVX77DqKT6mUfiwu6Y
DlgiHGXwU/kPsEH8x3MbPkaDqSa53WXLMGK1EqTeOCs0CgcDAACcDucZrwuPG+K3
f4cHYMypZT0pN60JOLQFQUFBIDGIaAQTEQIAKAUCWvXlMQIbAQUJACeNAAYLCQgH
AwIGFQgCCQoLBBYCAwECHgECF4AACgkQqAvkEk8oFtWgtwCdGaBbINbSveyorEo5
fR7k8UueIMEAn22rHU6W0nxJyPv56XYW5pjZZd2wtAVBQUEgMohoBBMRAgAoBQJa
9eVCAhsBBQkAJ40ABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCoC+QSTygW
1fcdAKCfv6Psl87OjHZ8TtPs2Sf/DuhJSgCeLSu7VqvsfAuruZnNpbY08FvjIjy0
BUFBQUFBiGgEExECACgFAlr19YwCGwEFCQAnjQAGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEKgL5BJPKBbVRJ0An2Dv8ow9mJURQSTTztoKwozoGUjWAJ9wt59M
7PCTb3XkO4tU/DekwszrfZT7BFr155MRAgDHjmPiduGZ5beSCr1V32iosEZV81PG
kYId3WmCmLO/iNHzIzHlD50XPHErvULCQ5mV7Fo9oH0i/jGVVYWRuEQTAKDuwNWd
PBa0EMm4e0xxN4LNMp8O3QH+LvOBkiQNKBKbWEEPZLDJt0x5MNhzcA1k9zK+nTu2
nX4q/5ZsjGJ+Vx5y4YKqYaAh6GyO6UYV+9rda1Q2b9PSOwH/SOUAy86hZEBhBtq2
tEKUPFmazdjr42Mi1GDUcE5yp70x0L67rGMJNb3W6KNz49OTjvv2/8KKHHY/dVbP
0N2r2wAAnRWgejmHx6QhcNWAdacOW5wAW592CW60BUJCQkJCiGgEExECACgFAlr1
55MCGwEFCQAnjQAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENhuIFUh2h5T
DpgAnjRr0Q8bE55zlNSjgjlP4sm0D4CRAKDlOsc9Ab+pmOvR55ZTTNEtYhZqmJT7
BFr16AsRAgC42hVDBuBZpa6cZsUPx/ycoN/sxWvH+QqdOADJ5defyl3zwC18oIEQ
FVwITfknqdXONfWA8guKr7bdfntB9FJvAKCtxGHgnbZnr3xoCFZJ/wGsikA+7wH/
ZaJX22mjVMOlJaT4Na3tQvseNQhqr4blLUBYwxjwd5NsGF2vlgmBxUqTxoy/kvmR
3qD9A8vvrMtz+ADTIgGNSQH/f9SnOM/Hl5O3FPcvBPGSkroytUA4u1DX20uOG+sa
CwC12ntq2xlrEkQM4RGedZmbhPSzxKmKYUS4sNx5KDzJswAAnj4POvP0As7xbsUJ
Fe5SzFeGxK0pCqG0BUNDQ0NDiGgEExECACgFAlr16AsCGwEFCQAnjQAGCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheAAAoJENn5AxKdCRBEir4An2F0MU2VX3M9M/ZrsCZo
LMFnd4CQAJ97Tvoxjz1I51G5bR4vIMMNyY4GqQ==
=P7L9
-----END PGP PRIVATE KEY BLOCK-----
-------------- nächster Teil --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mOIEWvXjZhECANg+4kpvcYcK7yKSfdnn6OZQNFODJeCQLczIiHBnTaiIgfIOpuOY
xnOMj8pIF724usooTB930O1+aNf0HZZvCycAoKGrkKf+y+Vmi83pvb0alEhnSm9/
AgCJKqxwTJUAES552vf/ogTFJn95ZPy9W4X46XS8ZoXFqa5YWSlP/I9eiFxHc9wE
F64T4uFP460q0+ooKOtyMklrAgCdQSJOm42q/QlWbTl9rJgVX77DqKT6mUfiwu6Y
DlgiHGXwU/kPsEH8x3MbPkaDqSa53WXLMGK1EqTeOCs0CgcDtAVBQUEgMYiLBBMR
AgBLAhsBBQkAJ40ABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgCIUgAAAAAAUAAVu
b3RhdGlvbkBleGFtcGxlLmNvbUFBQSAxBQJa9fWVAAoJEKgL5BJPKBbVev4Ani8N
0Y38Q8m3yMOiEwpSG1nRKLpJAJ9Lsss3YwD98Aim2NxcoIZ3snp0HbQFQUFBIDKI
iwQTEQIASwIbAQUJACeNAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlr15oMi
FIAAAAAAFAAFbm90YXRpb25AZXhhbXBsZS5jb21BQUEgMgAKCRCoC+QSTygW1TkZ
AJ9yWYlhyHQOqz2JSexOpCbXPVqQKQCdF2YKB5vc5NO7JavNz4pyZtOsxhO0BUFB
QUFBiGsEExECACsCGwEFCQAnjQAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJa
9fWVAhkBAAoJEKgL5BJPKBbVbAEAnimEAtvnFDKLZ3XgiyZv7GbyMwiVAJ0an5IO
q1McMqrb5NrOuTM/KQKwGpjiBFr155MRAgDHjmPiduGZ5beSCr1V32iosEZV81PG
kYId3WmCmLO/iNHzIzHlD50XPHErvULCQ5mV7Fo9oH0i/jGVVYWRuEQTAKDuwNWd
PBa0EMm4e0xxN4LNMp8O3QH+LvOBkiQNKBKbWEEPZLDJt0x5MNhzcA1k9zK+nTu2
nX4q/5ZsjGJ+Vx5y4YKqYaAh6GyO6UYV+9rda1Q2b9PSOwH/SOUAy86hZEBhBtq2
tEKUPFmazdjr42Mi1GDUcE5yp70x0L67rGMJNb3W6KNz49OTjvv2/8KKHHY/dVbP
0N2r27QFQkJCQkKIaAQTEQIAKAUCWvXnkwIbAQUJACeNAAYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQ2G4gVSHaHlMOmACeNGvRDxsTnnOU1KOCOU/iybQPgJEA
oOU6xz0Bv6mY69HnllNM0S1iFmqYmOIEWvXoCxECALjaFUMG4FmlrpxmxQ/H/Jyg
3+zFa8f5Cp04AMnl15/KXfPALXyggRAVXAhN+Sep1c419YDyC4qvtt1+e0H0Um8A
oK3EYeCdtmevfGgIVkn/AayKQD7vAf9lolfbaaNUw6UlpPg1re1C+x41CGqvhuUt
QFjDGPB3k2wYXa+WCYHFSpPGjL+S+ZHeoP0Dy++sy3P4ANMiAY1JAf9/1Kc4z8eX
k7cU9y8E8ZKSujK1QDi7UNfbS44b6xoLALXae2rbGWsSRAzhEZ51mZuE9LPEqYph
RLiw3HkoPMmztAVDQ0NDQ4hoBBMRAgAoBQJa9egLAhsBBQkAJ40ABgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRDZ+QMSnQkQRIq+AJ9hdDFNlV9zPTP2a7AmaCzB
Z3eAkACfe076MY89SOdRuW0eLyDDDcmOBqk=
=HQg0
-----END PGP PUBLIC KEY BLOCK-----
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 482 bytes
Beschreibung: Digital signature
URL         : <https://lists.gnupg.org/pipermail/gnupg-de/attachments/20180512/d8f91711/attachment.sig>


Mehr Informationen über die Mailingliste Gnupg-de