newbie needs clarification

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Wed Jun 4 16:12:03 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

malsyned@dennisx.cif.rochester.edu wrote:
| On Tue, 3 Jun 2003, CL Gilbert wrote:
|
|>This confuses me.  I thought when someone wanted to send me an encrypted
|>email, they needed by public key.  But it seems as if they actually need
|>my encryption subkey?  What is the difference here?  Is their one?
|
|
| Your "public key" is actually made up of several packets, one of which is
| a DSA signing key, one of which is your ElGamal encryption subkey, and
one
| for each ID and signature as well.  All of these things, including
| multiple cryptographic public keys, are all bundled together into one
| PGP/GnuPG public key, which is what you export and sent to people.
|
|

thanks.

|>So we are assuming that I would not sign a key, unless i owned the key?
|>This may be too deep of a question but, what makes it a self-sign?  Does
|>the ID share something specific that already attaches it to the signing
|>key, so when its signed it becomes obvious that the key is self-signed.
|
|
| No.  You can and should sign any key once you've verified the identity of
| the owner.  Given a signature, GnuPG can determine what key produced it
| (that's the whole point). What makes a signature a self-signature is the
| fact that it's a signature on a public key generated by it's corresponding
| private key.
|
|
|>~ Can I identify this quality manually?
|
|
| You can verify the signatures on a key by running gpg --check-sigs
| <keyID>.  A self-signature should be easy to spot, since it's made by the
| key you own ;-)
|
|
|>So this email is signed with my 'signing' key, of which their is only
|>one?  I can have many encryption keys, but only 1 signing key!?
|
|
| You can actually have as many subkeys, both encryption and signing, as
you
| like.  You must have a primary key which is capable of signing (and you
| do.)
|
| You need one primary signing key because it is that key (and the IDs
| attached to it) that other people sign, and it is that key that signs
| other keys.  Signing subkeys can be used to sign documents, though, and
| some of the people on this list can come up with reasons why that
might be
| useful.  For now, one primary signing key and one encryption subkey
should
| be all you need to worry about.
|
|

OK, this helps.


|>I understand I can revoke an ID? but what does this really mean since
|>nothing is really anything but the signing key.  Everything is validated
|>through the signing key, so you learn that my CLG ID is revoked, so now
|>what does that mean?  Its the same key, and if any other IDs are not
|>revoked then effectively nothing has changed except a sort of
|>'ornament.'
|
|
| That "ornament" is the cornerstone of the PGP trust model.  A reread of
| the section of the GNU Privacy Manual on signatures and trust might be
| enlightening, now that you've got this much down.
|
| Revoking an ID can mean a lot of things.  It can mean, for example,
that a
| particular email address is no longer valid, or that plastic surgery has
| rendered your photoID inaccurate.
|

But revoking an ID can not mean the ID was compromised, because IDs
can't be compromised right?  Since they are not keys. So even after its
revoked, if someone receives...Well I get confused on the usage of the
ID anyway.  I guess its somehow attached to what you sign.  So when you
sign something, you use your main key (for now) and you also attach one
of your IDs to it?



| You can revoke your primary signing key as well, which invalidates the
| whole thing, since all of the self-signatures that hold the key together
| would be invalidated.
|
| --Dennis Lambe
|
| _______________________________________________
| Gnupg-users mailing list
| Gnupg-users@gnupg.org
| http://lists.gnupg.org/mailman/listinfo/gnupg-users
|

thanks again



- --
L8r,


Carl L. Gilbert
Free Java interface to Freechess.org
http://www.rigidsoftware.com/Chess/chess.html
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+3f5ZVbJM14DSCi0RAvqiAKC9UlW+TZ+4qVITqJgC1YHY/usrQgCfel50
ntWgcyhyRBntiZAvjNeAICQ=
=QCe1
-----END PGP SIGNATURE-----