Key Flags

David Shaw dshaw at
Mon Jul 28 22:35:08 CEST 2008

On Mon, Jul 28, 2008 at 12:36:07PM -0700, Loren M. Lang wrote:
> I am trying to understand the differences between the key flags sign and  
> certify.  As I understand it all self-signatures are a type of  
> certification so the primary key needs certify, but not sign.

Yes, though in practice, most primary keys have both.

> A subkey  
> can have sign and not certify.


> Also, when signing someone elses user id  
> or user attribute the signing key must have certify.

Yes.  Note that since the web of trust is made up of primary key
signatures, this naturally follows from your first statement.

> The sign flag is  
> used for signing things not part of the web of trust such as emails,  
> software, etc.



More information about the Gnupg-users mailing list