Werner Koch wk at gnupg.org
Thu Nov 8 13:27:01 CET 2001

On Wed, 24 Oct 2001 16:10:16 -0400, David Shaw said:

> 2) The --edit menu does not detect if you have v3 secret keys
>    (i.e. you can't "toggle").  V4 secret keys do work.

Oops - fingerprint_from_sk() did it wrong for v3 keys, the bug never
showed up because this function was never used for internal purposes.
No problem with the keyID of v3 keys because it is not derived from
the fingerprint.  gpg --list-[secret-]key --with-fingerprint shows
this bug very clearly. 

> 3) If you try to make a 4096-bit RSA key, gpg seems to make a 4095-bit
>    key.


> 4) Sign a key, so that it's trust goes to "full".  Now, delete or
>    revoke the signature.  The trust level stays at "full" until you
>    export, delete, and then re-import the trustdb.

Does a "gpg --rebuild-keydb-caches" has the same effect as the
export, delete, import?

> 5) When you delete a key with ownertrust set it does not disappear
>    from the trustdb.

This is a feature so you can ater re-import the key.

> 6) You can revoke the same key signature multiple times (unclear
>    whether this is really a problem or not).

A warning notice might be nice but actually this is not a problem and
good for testing the code.

> 7) When revoking a key signature, the reason for revocation prompt
>    doesn't allow for the "no reason specified" option allowed in the
>    RFC.  A patch for that is attached.


> 8) RSA key signatures are always made with MD5 as the hash.  This
>    makes sense for v3 key sigs, but v4 RSA key sigs are probably safe
>    to use something else.

Will now use SHA-1

>    I've added a feature (patch attached) to always make v4 key sigs
>    unless it is a v3 key making a key sig on a v3 key, in which case
>    it makes a v3 key sig.  I also added a "force-v4-certs" flag to


>    This doesn't really solve the stated issue that gpg prompts the
>    user even if it is not going to use the revocation reason but it
>    does help the underlying problem.

Something for the TODO list ;-)

> 10) Key flags don't seem to work properly in that if a key is flagged
>     certify-only (0x01), or signature-only (0x02), it still can do the
>     other (certify-only keys can sign, and signature-only keys can
>     certify).

Another item for that list ;-)

Thanks for this nice report and the patches,


Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

More information about the Gnupg-devel mailing list