Authenticate capability of DSA or RSA signing keys

David Shaw dshaw at
Mon Feb 11 04:08:46 CET 2008

On Sun, Feb 10, 2008 at 08:48:13PM -0600, Kevin Hilton wrote:
> When I perform a
> gpg --expert --gen-key
> Im given the following options:
> Please select what kind of key you want:
>    (1) DSA and Elgamal (default)
>    (2) DSA (sign only)
>    (3) DSA (set your own capabilities)
>    (5) RSA (sign only)
>    (7) RSA (set your own capabilities)
> Your selection?
> If I select either 3 or 7, Im given the choice similar to below (note
> the following was produced with option #3):
> Possible actions for a DSA key: Sign Certify Authenticate
> Current allowed actions: Sign Certify
>    (S) Toggle the sign capability
>    (A) Toggle the authenticate capability
>    (Q) Finished
> I believe I'm aware of the signing capabilities, but how does Certify
> differ from Authenticate?  Obviously I'm confused on the meaning of
> Certify vs Authenticate.  I thought the public DSA signing key did
> certification/authentication whereas the private DSA key performed the
> signing.

The public/private question is not relevant here.

Sign = sign some data
Certify = sign a key
Authenticate = prove you are you

Authenticate is used for things like using an OpenPGP key for ssh.


More information about the Gnupg-users mailing list