newbie needs clarification

malsyned@dennisx.cif.rochester.edu malsyned@dennisx.cif.rochester.edu
Wed Jun 4 01:54:01 2003


On Tue, 3 Jun 2003, CL Gilbert wrote:
> My top level key is 0x80D20A2D, it is a DH/DSS key pair.  It expires
> 9/14/03.  Which part of this key is the secret part, and which is the
> public part? or is it not broken down like that?

It is not broken down like that.  A DH/DSS key is broken down into a 
top-level DSA signing key (DSS) and an ElGamal encryption subkey (DH).

The secret key is a seperate piece of data (also made up of DSA and 
ElGamal parts) which GnuPG stores on a separate keyring.  You distribute 
your public key and keep your secret key private.

> I seem to have a sub key.  I assume that is the one that is for
> encryptioni.  While the top key is for signatures.  I hear someone
> mention that is so I can expire the encryption key while I keep the main
> top level key?  is this right?  The sub key has a different ID
> 0x751c3bf9.  also expires on 9/14/03.

Changing your encryption subkey often can help with security.  It means 
that if a subkey is broken, only a fraction of your messages will be 
readable.  Changing your signing key often is thought to be less 
important by some.

> I have 2 IDs on the key.
> [...]
> I have read the FAQs and even went through about 4 months of this
> newsgroup, didnt google though...What is the point of the sub IDs?  Does
> my main top key have to have an ID attached to it?

Associating an Identity with a key asserts that the person identified owns 
the key.  A self-signature on the ID binds it to the particular public 
key, and the signature of others on the ID form the basis for trusting 
keys you haven't personally verified.

IDs are only bound to a primary key, and multiple IDs can be bound to it, 
each with potentially different sets of signatures, especially if you add 
a new email address to a key long after it's creation or something like 
that.

> When I send an email like this one, I am signing with my top level key?
> ~ Is it somehow associated with a particular sub ID?
> I sign others IDs with my top level key? is that associated with a
> particular sub level ID?

"sub-level ID" (or "sub ID") isn't really a concept.  All IDs are pretty
much created equal, except that one can (at any time) be identified by you
as "primary" (can someone else commment on what making an ID "primary"  
means?).  All IDs are associated with your primary key via a
self-signature, as is your encryption subkey.  You sign things with your 
primary key, and people can determine your identity by looking at what IDs 
are bound to that key.

> So no matter which ID you see in the sig, its signed with the same key?

That's correct.

It helps to understand all of this if you start seeing your key as a 
collection of packets.  For example, your key probably looks like this:

DSA Signing Primary Key packet
ID packet
self-signature packet binding ID to primary key
ID packet 2
self-signature packet binding ID 2 to primary key
ElGamal Encryption Subkey packet
self-signature packet binding subkey to primary key

--Dennis Lambe