2 FAQs

David Shaw dshaw@jabberwocky.com
Thu Dec 5 23:12:02 2002

On Thu, Dec 05, 2002 at 10:44:42PM +0100, Michael Nahrath wrote:
> David Shaw <dshaw@jabberwocky.com> schrieb am 2002-12-05 20:45 Uhr:
> >> sig!2   P    C9541FB2 2002-06-29   Douglas F. Calvert <dfc@anize.org>
> >>    ^^^^^^^^^^ 
> >> Betwheen the "sig" and the 8-byte Key-ID there are 10 characters space.
> >> 
> >> Where do I find a complete compilation of all possible values they can take
> >> and their meaning?
> > 
> > "sig", followed by:
> > 
> > 1. ! for good sig, - for bad sig, % for error, and blank for no public
> >  key available to verify sig.
> ... only displayed at --check-sigs, not at --list-sigs

Correct.  --list-sigs doesn't actually validate the signature.

> > 2. 1-3, giving the verification level of the key.  This is just
> >  cosmetic (a note from the signer to you) and has no bearing on
> >  whether the key is trusted or not.
> Good to know, especially when it comes to robot-sigs ...
> > 5. P if a policy URL exists on this signature, blank if not.
> gpg --check-sigs --show-policy-url 13300731
> as an example. Nice!
> Is there a way to "tune up" an already given signature?

You can reissue the signature.  Revoke the first via "revsig", and
then issue a new one.

> > 6. N if a notation exists on this signature, blank if not.
> gpg --check-sigs --show-notation
> Don't have an example for this in my keyring.

See key 7D53BA6C on the keyserver for an example.

> > 8. 1-9 if this is a trust signature, or "T" if the trust signature
> >  depth is greater than 9.  Blank if not a trust signature.  (GnuPG
> >  1.3.x only).
> Is this new to GPG only?
> I have found this value set on quite old keys:
> pub   1024R/BB1D9F6D 1997-03-04 ct magazine CERTIFICATE <pgpCA@ct.heise.de>
> sig!       1 B3B2A12C 1999-05-12 ct magazine CERTIFICATE <pgpCA@ct.heise.de>

No, this is a standard part of OpenPGP.  It's been around for a while,
but GnuPG 1.3.x is the first time GnuPG supported it.

> >> The second character after the "sig" is new since GPG 1.0.7 and indicates
> >> the quality of a signature. Where can I get more information about this new
> >> model? 
> >> I haven't found anything about this except the release notes for 1.0.7 and
> >> the dialogs inside the program and those are rather short.
> > 
> > Make a signature, and when it asks you for the level, enter a '?'.
> :-)
> Some more FAQ style questions:
> Signatures made by GPG 1.0.7 and later often have a number that expresses
> how good identity checking had been done before signing.
> Are those signatures better than the old ones without a number?

Not from the perspective of the trust system within GnuPG.  They are
only cosmetic, and used to tell you what the signer was thinking.  For
the trust system, they are all equal.  There is a possibility of doing
more than this in the future (it's a common request), but that hasn't
happened yet.

> Can I update signatures I made to other's keys with earlier versions of GPG
> or PGP to include with such a number (it should remain the same signature,
> no second)?

No.  You'd need to reissue the signature.

> I signed someone's key with sig!1 some time ago. In the meantime I got to
> know him realy well and had occation for a thorough identity check.
> Can I update this (same) signature to sig!3 ?

Same thing.  You need to reissue.  That's a feature, by the way.  Even
if you could update a signature in-place, there is no way to guarantee
that other people (and especially keyservers) would do the same
in-place update.  You'd end up with two signatures anyway.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson