Signatures stored as information inside a "public key"/certificate?
wk at gnupg.org
Fri Jun 13 18:34:24 CEST 2008
On Fri, 13 Jun 2008 17:07, george.davidescu at gmail.com said:
> Which is correct? Are signatures an inherent part of the key or are they
> stored extrinsically?
Lets clarify the terms:
- In OpenPGP parlance a "certificate" (as used with X.509) is called a
"keyblock". It is perfectly okay to use the term certificate for an
OpenPGP public key block - it is the same concept. (Please ignore the
fact that OpenPGP also has secret key blocks)
A certificate/keyblock consists of several packets, at least one
packet is a key and usually you see user ID packet and signature
packets as well. This composition of packets makes up the
- People often use the term "key" and they usually mean the
certificate/keyblock and not the packet with the actual key.
- A "keyring" is used by some implementations to store
certificates/keyblocks. RFC4880 says (3.6):
A keyring is a collection of one or more keys in a file or database.
Traditionally, a keyring is simply a sequential list of keys, but may
be any suitable database. It is beyond the scope of this standard to
discuss the details of keyrings or other databases.
Back to your question: Signatures are stored in the keyblock. At least
for OpenPGP compliant messages. OpenPGP defines only the interchange
format; applications may store it differently.
If you export an OpenPGP certificate it is entirely exported with some
minor changes (for example signatures marked as non-exportable are
removed). In contrast to X.509 the OpenPGP format allows for certain
transformations of the certificate without rendering it invalid.
The armor is just put at the end around the binary certificate/keyblock
and only a transport encoding.
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users