newbie needs clarification
Wed Jun 4 09:05:03 2003
On Tue, 3 Jun 2003, CL Gilbert wrote:
> This confuses me. I thought when someone wanted to send me an encrypted
> email, they needed by public key. But it seems as if they actually need
> my encryption subkey? What is the difference here? Is their one?
Your "public key" is actually made up of several packets, one of which is
a DSA signing key, one of which is your ElGamal encryption subkey, and one
for each ID and signature as well. All of these things, including
multiple cryptographic public keys, are all bundled together into one
PGP/GnuPG public key, which is what you export and sent to people.
> So we are assuming that I would not sign a key, unless i owned the key?
> This may be too deep of a question but, what makes it a self-sign? Does
> the ID share something specific that already attaches it to the signing
> key, so when its signed it becomes obvious that the key is self-signed.
No. You can and should sign any key once you've verified the identity of
the owner. Given a signature, GnuPG can determine what key produced it
(that's the whole point). What makes a signature a self-signature is the
fact that it's a signature on a public key generated by it's corresponding
> ~ Can I identify this quality manually?
You can verify the signatures on a key by running gpg --check-sigs
<keyID>. A self-signature should be easy to spot, since it's made by the
key you own ;-)
> So this email is signed with my 'signing' key, of which their is only
> one? I can have many encryption keys, but only 1 signing key!?
You can actually have as many subkeys, both encryption and signing, as you
like. You must have a primary key which is capable of signing (and you
You need one primary signing key because it is that key (and the IDs
attached to it) that other people sign, and it is that key that signs
other keys. Signing subkeys can be used to sign documents, though, and
some of the people on this list can come up with reasons why that might be
useful. For now, one primary signing key and one encryption subkey should
be all you need to worry about.
> I understand I can revoke an ID? but what does this really mean since
> nothing is really anything but the signing key. Everything is validated
> through the signing key, so you learn that my CLG ID is revoked, so now
> what does that mean? Its the same key, and if any other IDs are not
> revoked then effectively nothing has changed except a sort of
That "ornament" is the cornerstone of the PGP trust model. A reread of
the section of the GNU Privacy Manual on signatures and trust might be
enlightening, now that you've got this much down.
Revoking an ID can mean a lot of things. It can mean, for example, that a
particular email address is no longer valid, or that plastic surgery has
rendered your photoID inaccurate.
You can revoke your primary signing key as well, which invalidates the
whole thing, since all of the self-signatures that hold the key together
would be invalidated.