How trust works in gpg...

David Shaw dshaw at
Thu Apr 24 19:21:08 CEST 2008

On Tue, Apr 15, 2008 at 11:42:30PM +0200, Herbert Furting wrote:
> On Tue, 2008-04-15 at 17:09 -0400, David Shaw wrote:
> > Change your preferences and GPG will make a new selfsig for you.  No
> > source hacking needed.
> Yes but ok let me explain what I want or would like to have ;-)
> My current key has the following layout:
> ***[Pub key packet]***
> ???***[UID]???***
> ???***[0x13 selfsig (SHA1), with cipher-, hash-, compress- algo prefs, key
> flags, features, key expiration time and of course stuff like signature
> creation time]???***
> What I would like to have is probably (I'm actually not yet sure ;) ):
> ???***[pub key packet]???***
> ???***[0x1F selfsig]???***
> I assume that would be inserted here?
> I think it should probably contain, key expiration time, key flags
> because as far as I understand this information is clearly bond to the
> key (would it make sense to have different key expiration times, or key
> flags for different UIDs/roles?)

No.  Key flags do not pertain to UIDs or roles.  They pertain only to

What you sketch out above is legal by the spec.  No program that I
know of does it that way, but it's legal.

> And perhaps even the algo prefs the and the features (if they are the
> same for all UIDs).

Again, legal, but nobody does it that way.

> Now here I'm note yet sure and I still discuss with Christoph.
> If the algorigthm preferences and features should be considered as
> role-preferences,.. the proper place would always be the 0x13 (because
> these are for the roles, which are effectively the UIDs).
> But if not, it could make sense to put them on a 0x1F, when they're the
> same for each UID(/role).
> I still could add them to single UIDs if some of them have different
> settings because of their environment.


> Hmm could one image to have different key-server-uri's per UID?

Sure.  Say I use the same key for home and work, so I have two UIDs on
the key.  Work has a keyserver, and home uses a public keyserver.

> Is there perhaps a tool that simply allows to edit every aspect of
> OpenPGP keys, and that then recreates the selfsigs as desired? Including
> lenght calculation of the packets, the hash contexts and the signature
> algorithms?
> Perhaps something like a counterpart to pgpdump (I love that tool XD).

None that I know of.

> Ah and perhaps on last question (for now ;) ) if I have your attention
> right now.
> Does it make sense to put policy URI's on selfsigs? Could you imagine a
> possible meaning of such a thing?

It's not up to me to say whether it makes sense or not.  Policy URIs
are for specifying the policy under which a signature was issued.  If
you want to state the policy for your self sigs, this is how you do
it.  If you don't, don't.


More information about the Gnupg-users mailing list