Printable View
I am trying to understand what is signed when I sign a key using GPG.
Is is just a uid?
Is it a blend of the key & a uid? (if so which id?)
Is it a blend of the key and the selected ids?
Where can I read up on this - I have looked (really), but can't see this
discusses in the man pages, info or other GPG docs.
Sorry if this has been done to death & I just didn't find it.
Thanks,
Bruce
"Bruce Badger" <bruce_badger@no.spam.badgerse.com> wrote in message
news:3f4058ea$0$23592$5a62ac22@freenews.iinet.net.au...[color=blue]
> I am trying to understand what is signed when I sign a key using GPG.
>
> Is is just a uid?
>
> Is it a blend of the key & a uid? (if so which id?)
>
> Is it a blend of the key and the selected ids?
>
> Where can I read up on this - I have looked (really), but can't see this
> discusses in the man pages, info or other GPG docs.
>
> Sorry if this has been done to death & I just didn't find it.[/color]
I think, but don't hold me to this, that it's a hash of the key, just like
you sign a hash of a cleartext message. It could well be the fingerprint.
This is only what I guess though. This is not informed in any way, shape or
form...
--
-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GU d- s+:- a--- C++(++++) !U W++(+++) N+(++) o K? w+(--) ?O M>++
V? PS+ PE-@ Y+(++) PGP++ t+(*) 5 X R(+) tv(-) b+(+++)
DI++++ D G e(*) h!>--- r++ z+>+++
------END GEEK CODE BLOCK------
On Tue, 19 Aug 2003 06:55:12 +1000, Gamma3000 wrote:
[color=blue]
> "Bruce Badger" <bruce_badger@no.spam.badgerse.com> wrote in message
> news:3f4058ea$0$23592$5a62ac22@freenews.iinet.net.au...[color=green]
>> I am trying to understand what is signed when I sign a key using GPG.
>>
>> Is is just a uid?
>>
>> Is it a blend of the key & a uid? (if so which id?)
>>
>> Is it a blend of the key and the selected ids?
>>
>> Where can I read up on this - I have looked (really), but can't see
>> this discusses in the man pages, info or other GPG docs.
>>
>> Sorry if this has been done to death & I just didn't find it.[/color]
>
> I think, but don't hold me to this, that it's a hash of the key, just
> like you sign a hash of a cleartext message. It could well be the
> fingerprint.[/color]
Many thanks for the response - and I won't hold you to anything :-)
May I ask, though, why --sign-key asks you which uids you want to sign if
all that is signed is the key?
fwiw, my *suspicion* is that a signature is made upon the hash of the key
plus the selected uids - but I don't know how to prove or disprove that
(or even read up on it).
Thanks again,
Bruce
Bruce Badger wrote:
fwiw, my *suspicion* is that a signature is made upon the hash of the key[color=blue]
> plus the selected uids - but I don't know how to prove or disprove that
> (or even read up on it).[/color]
Your suspicion is correct. A key certification is made up of the hash
of the key and the selected uid. You can read more about it in RFC-2440.
David
"David Shaw" <dshaw@example.com> wrote in message
news:bhs4rt$l7c$1@foobar.cs.jhu.edu...[color=blue]
> <snip> You can read more about it in RFC-2440.[/color]
RFC? Wassat? Is there a link? I've never heard of RFCs before...