How trust works in gpg...

Herbert Furting lhshas at googlemail.com
Tue Apr 15 23:42:30 CEST 2008


On Tue, 2008-04-15 at 17:09 -0400, David Shaw wrote:
> Change your preferences and GPG will make a new selfsig for you.  No
> source hacking needed.
Yes but ok let me explain what I want or would like to have ;-)

My current key has the following layout:
***[Pub key packet]***
***[UID]***
***[0x13 selfsig (SHA1), with cipher-, hash-, compress- algo prefs, key
flags, features, key expiration time and of course stuff like signature
creation time]***

What I would like to have is probably (I'm actually not yet sure ;) ):
***[pub key packet]***
***[0x1F selfsig]***
I assume that would be inserted here?
I think it should probably contain, key expiration time, key flags
because as far as I understand this information is clearly bond to the
key (would it make sense to have different key expiration times, or key
flags for different UIDs/roles?)

And perhaps even the algo prefs the and the features (if they are the
same for all UIDs).
Now here I'm note yet sure and I still discuss with Christoph.
If the algorigthm preferences and features should be considered as
role-preferences,.. the proper place would always be the 0x13 (because
these are for the roles, which are effectively the UIDs).
But if not, it could make sense to put them on a 0x1F, when they're the
same for each UID(/role).
I still could add them to single UIDs if some of them have different
settings because of their environment.

Hmm could one image to have different key-server-uri's per UID?

Does this make sense?
(And just to prevent any unnecessary discussion,.. I know that this is
not the way gpg does handle this stuff (now), and that it is not
necessary implied by the standard. I just think that this could make
sense.
So especially for Robert, please wait until Christoph finishes his paper
and post it to the WG.)

then the UDIs+0x13's
***[UID]***
***[the 0x13 selfsig (SHA1)) from above]***
***[that sig nature revoked]***
(you remember my last mail where I asked you if that makes sense, and
you just told me that I still use SHA1 in some places),.. but I still
haven't thought about the best fitting reason for revocation
[new 0x13 selfsig(SHA512) perhaps with some of the subpackets from above
(the algo prefs),.. or not, depending on whether the above makes sense).
***[ the same for other UIDs ]***



So just changing the prefs via setprefs doesn't do this :-(
I've already found the make_keysig_packet which is called from main
keyedit.c to create the selfsig,... but the I got stuck,..

I think what I wish to do needs too much in depth knowledge of gnupgs
functions.


Is there perhaps a tool that simply allows to edit every aspect of
OpenPGP keys, and that then recreates the selfsigs as desired? Including
lenght calculation of the packets, the hash contexts and the signature
algorithms?
Perhaps something like a counterpart to pgpdump (I love that tool XD).



Ah and perhaps on last question (for now ;) ) if I have your attention
right now.
Does it make sense to put policy URI's on selfsigs? Could you imagine a
possible meaning of such a thing?


Thanks a lot,
Herbert.

btw: If anybody here thinks I'm a barrater,... blame Christoph,.. he
brought me to read the RFC ;)




More information about the Gnupg-users mailing list