newbie needs clarification

CL Gilbert lamont_gilbert@rigidsoftware.com
Wed Jun 4 04:46:03 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

malsyned@dennisx.cif.rochester.edu wrote:
| On Tue, 3 Jun 2003, CL Gilbert wrote:
|
|>My top level key is 0x80D20A2D, it is a DH/DSS key pair.  It expires
|>9/14/03.  Which part of this key is the secret part, and which is the
|>public part? or is it not broken down like that?
|
|
| It is not broken down like that.  A DH/DSS key is broken down into a
| top-level DSA signing key (DSS) and an ElGamal encryption subkey (DH).
|
| The secret key is a seperate piece of data (also made up of DSA and
| ElGamal parts) which GnuPG stores on a separate keyring.  You distribute
| your public key and keep your secret key private.
|
|

Got it.

|>I seem to have a sub key.  I assume that is the one that is for
|>encryptioni.  While the top key is for signatures.  I hear someone
|>mention that is so I can expire the encryption key while I keep the main
|>top level key?  is this right?  The sub key has a different ID
|>0x751c3bf9.  also expires on 9/14/03.
|
|
| Changing your encryption subkey often can help with security.  It means
| that if a subkey is broken, only a fraction of your messages will be
| readable.  Changing your signing key often is thought to be less
| important by some.
|
|

This confuses me.  I thought when someone wanted to send me an encrypted
email, they needed by public key.  But it seems as if they actually need
my encryption subkey?  What is the difference here?  Is their one?



|>I have 2 IDs on the key.
|>[...]
|>I have read the FAQs and even went through about 4 months of this
|>newsgroup, didnt google though...What is the point of the sub IDs?  Does
|>my main top key have to have an ID attached to it?
|
|
| Associating an Identity with a key asserts that the person identified
owns
| the key.  A self-signature on the ID binds it to the particular public
| key, and the signature of others on the ID form the basis for trusting
| keys you haven't personally verified.
|

So we are assuming that I would not sign a key, unless i owned the key?
This may be too deep of a question but, what makes it a self-sign?  Does
the ID share something specific that already attaches it to the signing
key, so when its signed it becomes obvious that the key is self-signed.
~ Can I identify this quality manually?

I ask because I am moving into Linux world, and am on command line now.
~ so I need to know the nitty gritty since I don't have a PGP GUI helping
me out, and I can not get a GUI on RH8 unless i compile...


| IDs are only bound to a primary key, and multiple IDs can be bound to it,
| each with potentially different sets of signatures, especially if you add
| a new email address to a key long after it's creation or something like
| that.
|

Got it.

|
|>When I send an email like this one, I am signing with my top level key?
|>~ Is it somehow associated with a particular sub ID?
|>I sign others IDs with my top level key? is that associated with a
|>particular sub level ID?
|
|
| "sub-level ID" (or "sub ID") isn't really a concept.  All IDs are pretty
| much created equal, except that one can (at any time) be identified by you
| as "primary" (can someone else commment on what making an ID "primary"
| means?).  All IDs are associated with your primary key via a
| self-signature, as is your encryption subkey.  You sign things with your
| primary key, and people can determine your identity by looking at what
IDs
| are bound to that key.
|
|

So this email is signed with my 'signing' key, of which their is only
one?  I can have many encryption keys, but only 1 signing key!?  I
understand I can revoke an ID? but what does this really mean since
nothing is really anything but the signing key.  Everything is validated
through the signing key, so you learn that my CLG ID is revoked, so now
what does that mean?  Its the same key, and if any other IDs are not
revoked then effectively nothing has changed except a sort of 'ornament.'

|>So no matter which ID you see in the sig, its signed with the same key?
|
|
| That's correct.
|
| It helps to understand all of this if you start seeing your key as a
| collection of packets.  For example, your key probably looks like this:
|
| DSA Signing Primary Key packet
| ID packet
| self-signature packet binding ID to primary key
| ID packet 2
| self-signature packet binding ID 2 to primary key
| ElGamal Encryption Subkey packet
| self-signature packet binding subkey to primary key
|
| --Dennis Lambe
|
| _______________________________________________
| Gnupg-users mailing list
| Gnupg-users@gnupg.org
| http://lists.gnupg.org/mailman/listinfo/gnupg-users
|



Thanks again,  I'm getting close :D

Carl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+3V0eVbJM14DSCi0RAiAmAJ4olT/KZn5PXkYggrruqpJfd8CiVwCdEDXN
/iTjDd2PSTMbY2krmwDEoyw=
=Y0c8
-----END PGP SIGNATURE-----