moving user ID Comments to --expert mode

David Shaw dshaw at
Fri Feb 4 00:30:23 CET 2011

On Feb 3, 2011, at 5:10 PM, Robert J. Hansen wrote:

>> I invite you to look through the User IDs in your own keyring, from the
>> perspective of a potential certifier, and ask yourself "what does it
>> mean for me to certify these comments?"
> Zero.  Comments don't get certified.  All my signature means is I have
> met this person face to face, have seen two forms of government
> identification, have confirmed a fingerprint and exchanged an email at
> that address.  There's nothing in my signature policy that addresses
> comments, nothing at all.

I'm afraid I'm not parsing your point here.  Comments are part of the user ID field.  When you make a certification, they are included in the hash.  You can't sign part of a user ID.

Are you saying that you don't sign things with comments?  ("Comments don't get certified").

Or are you arguing the *meaning* of the certification (you may or may not sign the user ID, but if you did sign it, the comment part should be considered null and void in terms of your particular certification)?

Or something else?

>> Omitting the baffling prompt entirely would be the most terse, which is
>> what i propose.  Do you object to that?
> Without a good basis, yes, I do.  If you change this prompt you will
> also break a ton of scripts that expect this prompt.  Not only that, but
> since key generation is a rare occurrence the breakage may occur months
> or years after the change is made.  This isn't something to be done lightly.

I suppose I don't really have particularly strong feelings about whether "comment" is put under --expert or not, but either way this argument is not a good one.  We have made many changes to the keygen prompts over time, and no doubt will continue to do so in the future.  The only scriptable interface for key generation in GPG is --batch --key-gen, and it is documented as such.


More information about the Gnupg-users mailing list