What does the "sub" entry of a key mean?
dshaw at jabberwocky.com
Sat Jan 15 18:27:58 CET 2011
On Jan 15, 2011, at 11:13 AM, Bo Berglund wrote:
> I am building an application for GPG encryption, which ultimately will
> be integrated into the Win7X64 Explorer context menu.
> I have used the command line command "gpg2 -k" to retrieve a ley list
> for the current key ring. Works fine. Now it is time for parsing and I
> have a few questions:
> The output from the command looks like this (shortened):
> C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg
> pub 1024D/C50DAFF8 2006-08-19
> uid Bo Berglund <bo.berglund at gmail.com>
> sub 2048g/011AD792 2006-08-19
> pub 1024D/41C6E930 2003-04-10
> uid Richard Jones <richard at commonground.com.au>
> uid Richard Jones <richard at mechanicalcat.net>
> uid Richard Jones <richardjones at optushome.com.au>
> sub 1024g/40AD97DF 2003-04-10
> Now, I understand most of this but I would like to know the
> significance of these items:
> 1) In the pub line the first item is a number + a letter. I assume
> that the number is the bit length of the key, but what does the letter
> mean? And which are the possible letters?
Yes, the number is the bit length of the key. The letters are:
RSA == R
DSA == D
Elgamal == g (only seen in subkeys)
Historically there was a "G" for an Elgamal key that could both encrypt and sign, but that was dropped from OpenPGP. The current lowercase "g" Elgamal is an encrypt-only key.
> 2) What does the last line of each key mean, which starts with sub?
> Notice that there is a different hex code and different letter
> following the key length...
Sub is for subkeys. They are other keys that go along with the main, or primary, key. A common usage pattern is for the primary to be used for signing, and the subkey used to encryption.
> 3) Some keys have several uid lines, is there a maximum or minimum
> number here? It looks like a number of email addresses attached to the
> key, is this correct?
There is a minimum of 1. There is no maximum. There are also "uat" lines, of which there are zero or more. A uat is used to store other things aside from text (for example, photo IDs).
> 4) I only have one public keyring, but I assume that it is possible to
> have several? If so will the -k command list these after each other?
> The first output line seems to be the actual keyring location.
It is possible to have several.
I note that you are trying to parse the output, though. That is a bad idea, as the format is intended for human consumption, and not machine parsing. The machine format is stable, and the human format is subject to change. Use the --with-colons option to enable machine parsing.
More information about the Gnupg-users