newbie needs clarification
Wed Jun 4 16:12:03 2003
-----BEGIN PGP SIGNED MESSAGE-----
| On Tue, 3 Jun 2003, CL Gilbert wrote:
|>This confuses me. I thought when someone wanted to send me an encrypted
|>email, they needed by public key. But it seems as if they actually need
|>my encryption subkey? What is the difference here? Is their one?
| Your "public key" is actually made up of several packets, one of which is
| a DSA signing key, one of which is your ElGamal encryption subkey, and
| for each ID and signature as well. All of these things, including
| multiple cryptographic public keys, are all bundled together into one
| PGP/GnuPG public key, which is what you export and sent to people.
|>So we are assuming that I would not sign a key, unless i owned the key?
|>This may be too deep of a question but, what makes it a self-sign? Does
|>the ID share something specific that already attaches it to the signing
|>key, so when its signed it becomes obvious that the key is self-signed.
| No. You can and should sign any key once you've verified the identity of
| the owner. Given a signature, GnuPG can determine what key produced it
| (that's the whole point). What makes a signature a self-signature is the
| fact that it's a signature on a public key generated by it's corresponding
| private key.
|>~ Can I identify this quality manually?
| You can verify the signatures on a key by running gpg --check-sigs
| <keyID>. A self-signature should be easy to spot, since it's made by the
| key you own ;-)
|>So this email is signed with my 'signing' key, of which their is only
|>one? I can have many encryption keys, but only 1 signing key!?
| You can actually have as many subkeys, both encryption and signing, as
| like. You must have a primary key which is capable of signing (and you
| You need one primary signing key because it is that key (and the IDs
| attached to it) that other people sign, and it is that key that signs
| other keys. Signing subkeys can be used to sign documents, though, and
| some of the people on this list can come up with reasons why that
| useful. For now, one primary signing key and one encryption subkey
| be all you need to worry about.
OK, this helps.
|>I understand I can revoke an ID? but what does this really mean since
|>nothing is really anything but the signing key. Everything is validated
|>through the signing key, so you learn that my CLG ID is revoked, so now
|>what does that mean? Its the same key, and if any other IDs are not
|>revoked then effectively nothing has changed except a sort of
| That "ornament" is the cornerstone of the PGP trust model. A reread of
| the section of the GNU Privacy Manual on signatures and trust might be
| enlightening, now that you've got this much down.
| Revoking an ID can mean a lot of things. It can mean, for example,
| particular email address is no longer valid, or that plastic surgery has
| rendered your photoID inaccurate.
But revoking an ID can not mean the ID was compromised, because IDs
can't be compromised right? Since they are not keys. So even after its
revoked, if someone receives...Well I get confused on the usage of the
ID anyway. I guess its somehow attached to what you sign. So when you
sign something, you use your main key (for now) and you also attach one
of your IDs to it?
| You can revoke your primary signing key as well, which invalidates the
| whole thing, since all of the self-signatures that hold the key together
| would be invalidated.
| --Dennis Lambe
| Gnupg-users mailing list
Carl L. Gilbert
Free Java interface to Freechess.org
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----