Is self-signing necessary? Basic questions.

takethebus at takethebus at
Sun Jan 2 04:30:53 CET 2011

I everybody, 

I tried to understand some of the concepts of GnuPG and would be grateful for you to give me a feedback, whether I understood things right. I'm especially interested in the concept of self-signed keys. My key type is "RSA and RSA (PGP)". Here is what I understood:

My pulic key consists of the following:
public master signing key (pub),
public subordinate keys (sub),
User IDs.

Are the key IDs newly calculated every time GnuPG runs or are they members of the public key like the user IDs, too?

Is the public master signing key ONLY used for signing and the public subordinate key ONLY used for enryption?

Is the fingerprint of my public key ONLY the fingerprint of my public master signing key?

When signing another key, what I do is to ONLY sign the other person's public master signing key with my own private master signing key. I don't sign a certain user ID or something. Is that right? (see the next two points)

A self-singed public key, is a public key, who's following components are singed by the private master signing key, belonging to the same key pair:
public subordinate keys (sub),
User IDs,
(key IDs?).

Because the public key is self-signed, it is OK, to only sign the public master key when signing a key. It is OK, because this key signed the user IDs. But if that's so, don't I sign ALL user IDs (if there are several) of that public key by signing the public master singing key?

Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? 

Are keys checked automatically by GnuPG to be self-signed?

Can signatures be removed from a key again? 

What about removing self-signatures, changing suboridinate encryption keys and user IDs? Is that possible/easy? 

Thanks for the answers,

More information about the Gnupg-users mailing list