Is self-signing necessary? Basic questions.
mailinglisten at hauke-laging.de
Sun Jan 2 05:09:48 CET 2011
Am Sonntag 02 Januar 2011 04:30:53 schrieb takethebus at gmx.de:
> Are the key IDs newly calculated every time GnuPG runs or are they members
> of the public key like the user IDs, too?
The key IDs are a small part of the key (SHA-1) hash value. Thus they are part
of the public key but I don't know whether explicitly or just implicitly.
> Is the public master signing key ONLY used for signing and the public
> subordinate key ONLY used for enryption?
There are four key capabilities:
E: encryption (and decryption)
The main key is the only one which is used for key certifications (both for
its own subkeys and for other main keys) because only the main key is
identified by key certifications. The main key does not need any other
capability. Not to use the main key for anything other than certifications
allows you to keep that key offline (see --export-secret-subkeys). It is not
necessary but makes sense to deny the main key all other capabilities if
intended for offline use only.
You can create subkeys with one or several capabilities (except for
certification). In theory you could have a main key for certification and
encryption and a subkey for signing. Subkeys can be created with a limited
validity time. An offline main key can easily be valid for a long time (or
> Is the fingerprint of my public key ONLY the fingerprint of my public
> master signing key?
Yes. The fingerprint refers to the key material itself and thus does not
change when UIDs or subkeys change. Everything else (UIDs, subkeys, key
configuration) is checked indirectly by checking the validity of the main
key's signature for this data.
> When signing another key, what I do is to ONLY sign the other person's
> public master signing key with my own private master signing key. I don't
> sign a certain user ID or something. Is that right? (see the next two
You verify only the main key itself by the fingerprint but you always sign the
key together with a UID. gpg --list-sigs shows this to you: The root entry is
pub, the uids are the next level ("connected" to pub) and the signatures refer
> A self-singed public key, is a public key, who's following components are
> singed by the private master signing key, belonging to the same key pair:
> public subordinate keys (sub),
> User IDs,
A key must have at least one UID (at least with gpg) but need not have any
> Because the public key is self-signed, it is OK, to only sign the public
> master key when signing a key. It is OK, because this key signed the user
> IDs. But if that's so, don't I sign ALL user IDs (if there are several) of
> that public key by signing the public master singing key?
You have to explicitly sign UIDs. AFAIK it is not possible to sign the raw key
> Does GnuPG demand, that a public key must be self-signed, otherwise it's
> "no key" at all?
Not demand but it seems to not make sense, see --allow-non-selfsigned-uid:
"Allow the import and use of keys with user IDs which are not self-signed.
This is not recommended, as a non self-signed user ID is trivial to forge."
But I do not understand the practical problem: What sense could it make for an
attacker to modify UIDs if the user of the public key verifies the
> Are keys checked automatically by GnuPG to be self-signed?
I don't know but you can try. :-)
> Can signatures be removed from a key again?
Yes, that is easily possible:
2) if needed: uid ...
> What about removing self-signatures, changing suboridinate encryption keys
> and user IDs? Is that possible/easy?
You get warned if you try to remove selfsigs. UIDs and subkeys can be changed
by commands like addkey delkey, see the man page for --edit-key.
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users