key_confusion

Mario Castelán Castro marioxcc.MT at yandex.com
Thu Aug 31 03:40:10 CEST 2017


Hello.

Your message is very bad written and I can barely understand it. I will
answer what I have understood.

On 30/08/17 10:40, mizett at elude.in wrote:
> *******************************************************
> hi all,
> 
> i do not clearly understand the difference between .asc , .gpg , .sign ,
> .sig , cert and do not know the official_usage & conventions.
> i made my own research before but ... unsuccessfully.

The main specification for OpenPGP (the format used by the “gpg” command
line program) is this: <https://tools.ietf.org/html/rfc4880>.
*Apparently* it does not specify any file extension.

There are some *conventions* regarding file names. “.asc” is used for
_ASC_II-armored OpenPGP files. “.sig” is used for OpenPGP detached
signatures (generated with “gpg -b”). I think that GNU PG uses “.gpg” by
default for everything else (as long as it is in OpenPGP format).

Anyway, what matters is the content of the file, not the file name. You
can obtain a summary of the content of any OpenPGP file with “gpg
--list-packets < FILE”.

> key is also a certificate if i understood well what i read.
> it looks like :
> 	- gnupg uses public.key for being exported on a server_internal operation.
> 	- gnupg uses public.asc for being exported on an
> e-mail/mailing-list_external

I have no idea of what you mean by “server_internal operation”. GNU PG
does not interfaces with e-mail at all. Many e-mail clients call GNU PG
in the background, but then GNU PG will do whatever the e-mail client
requests.

Some people use the word “certificate” to refer to OpenPGP primary keys.

Primary keys should not be confused with “revocation certificates”.
*Revocation* certificates are a type of signed message that say “Do not
longer this key; it may have been compromised or it is not longer in
use” in a machine-readable way.

The act of signing a key (that is, giving your word that the key belongs
to whoever it claims to belong) is also called “certification”, and the
resulting signature is called a “certification signature” in RFC 4880.

> operation.
> 	- gnupg uses cert for server/vpn = multiple keys
> 	- key = gpg = cert ?
> 	- cert = sign = sig = every keys (subkeys inc

luded)
> 	- cert = gpg = soft/file encrypted
> 	- cert = asc = sign = sig = gpg = gpg2 ?
> --- is it not the same ?

GNU PG is the name of the software. “gpg” is the name of one of the
command line programs that GNU PG provides. I do not understand the rest.

> i do not clearly understand the difference between .cert .asc , .gpg ,
> .sign , .sig and do not know the official_usage & conventions.
> - could i rename the public.* as .sign and what is the difference using
> .sig ?
> - could i export the public.key on the hkps-server or must i use the
> public.asc ?
> - could i rename public.asc in public.gpg2 ?
> ... and the same questions come in my mind about the *SUMS files.
> ... and the same confusion about user-id , fpr , e-mail :
> --- is it not the same ?

These are all misguided questions. The filename is irrelevant. The file
extensions are there for *you* to help you recognize the files, not for
GNU PG.

> have you a link where all these embarrassing questions are clearly
> explained ?

Look at the “Documentation” page in the GNU PG web site
<https://www.gnupg.org/documentation/index.html>.

> OFF-TOPIC : could gnupg add a special option in his settings/option :
> quantum resistant ?
> I mean an embedded version of codecrypt.

I am not a developer of GNU PG, but I assume that public-key algorithms
resistant to quantum computing will be standardized (by some standard
group like the IETF) and added to GNU PG *when* the need arises, just as
support for ECC was recently added.

*Currently* the factorization and discrete logarithm algorithms are
enough. Also note that symmetric encryption algorithms are minimally
affected by quantum computing. GNU PG implements, for example, AES-256
and SHA-512 which should be strong against quantum computers if they are
strong against classical computers.

Instead of worrying about quantum computers, worry about proper security
practices as the end user. The chain is no stronger than the weakest
link, and the user is almost always the weakest link.

-- 
Do not eat animals; respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170830/dc22ea2c/attachment.sig>


More information about the Gnupg-users mailing list