GPG --sign-Key ... what is signed? - PGP

This is a discussion on GPG --sign-Key ... what is signed? - PGP ; I am trying to understand what is signed when I sign a key using GPG. Is is just a uid? Is it a blend of the key & a uid? (if so which id?) Is it a blend of the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: GPG --sign-Key ... what is signed?

  1. GPG --sign-Key ... what is signed?

    I am trying to understand what is signed when I sign a key using GPG.

    Is is just a uid?

    Is it a blend of the key & a uid? (if so which id?)

    Is it a blend of the key and the selected ids?

    Where can I read up on this - I have looked (really), but can't see this
    discusses in the man pages, info or other GPG docs.

    Sorry if this has been done to death & I just didn't find it.

    Thanks,
    Bruce

  2. Re: GPG --sign-Key ... what is signed?

    "Bruce Badger" wrote in message
    news:3f4058ea$0$23592$5a62ac22@freenews.iinet.net. au...
    > I am trying to understand what is signed when I sign a key using GPG.
    >
    > Is is just a uid?
    >
    > Is it a blend of the key & a uid? (if so which id?)
    >
    > Is it a blend of the key and the selected ids?
    >
    > Where can I read up on this - I have looked (really), but can't see this
    > discusses in the man pages, info or other GPG docs.
    >
    > Sorry if this has been done to death & I just didn't find it.


    I think, but don't hold me to this, that it's a hash of the key, just like
    you sign a hash of a cleartext message. It could well be the fingerprint.

    This is only what I guess though. This is not informed in any way, shape or
    form...
    --
    -----BEGIN GEEK CODE BLOCK-----
    Version 3.12
    GU d- s+:- a--- C++(++++) !U W++(+++) N+(++) o K? w+(--) ?O M>++
    V? PS+ PE-@ Y+(++) PGP++ t+(*) 5 X R(+) tv(-) b+(+++)
    DI++++ D G e(*) h!>--- r++ z+>+++
    ------END GEEK CODE BLOCK------



  3. Re: GPG --sign-Key ... what is signed?

    On Tue, 19 Aug 2003 06:55:12 +1000, Gamma3000 wrote:

    > "Bruce Badger" wrote in message
    > news:3f4058ea$0$23592$5a62ac22@freenews.iinet.net. au...
    >> I am trying to understand what is signed when I sign a key using GPG.
    >>
    >> Is is just a uid?
    >>
    >> Is it a blend of the key & a uid? (if so which id?)
    >>
    >> Is it a blend of the key and the selected ids?
    >>
    >> Where can I read up on this - I have looked (really), but can't see
    >> this discusses in the man pages, info or other GPG docs.
    >>
    >> Sorry if this has been done to death & I just didn't find it.

    >
    > I think, but don't hold me to this, that it's a hash of the key, just
    > like you sign a hash of a cleartext message. It could well be the
    > fingerprint.


    Many thanks for the response - and I won't hold you to anything :-)

    May I ask, though, why --sign-key asks you which uids you want to sign if
    all that is signed is the key?

    fwiw, my *suspicion* is that a signature is made upon the hash of the key
    plus the selected uids - but I don't know how to prove or disprove that
    (or even read up on it).

    Thanks again,
    Bruce

  4. Re: GPG --sign-Key ... what is signed?

    Bruce Badger wrote:

    fwiw, my *suspicion* is that a signature is made upon the hash of the key
    > plus the selected uids - but I don't know how to prove or disprove that
    > (or even read up on it).


    Your suspicion is correct. A key certification is made up of the hash
    of the key and the selected uid. You can read more about it in RFC-2440.

    David


  5. Re: GPG --sign-Key ... what is signed?

    "David Shaw" wrote in message
    news:bhs4rt$l7c$1@foobar.cs.jhu.edu...
    > You can read more about it in RFC-2440.


    RFC? Wassat? Is there a link? I've never heard of RFCs before...



+ Reply to Thread