trying to understand UID and subkeys
Me again. Sorry to sound newbish. I've googled, but I haven't found anything quite as detailed enough for me to grasp the 'whole forest' (so to speak). My question is regarding 'subkeys.' Let me know if I am getting the wording/terminology incorrect. I understand that when I 'gen-key' I create a 'signing' key (to identify tampering/modification) and an 'encryption' key (shouldn't this be a DEcryption key? Wouldn't I use this for DEcrypting docs encrypted with my public key? But I digress). I am also able to add extra UIDs to my public key, so I can have, say 4 different email addresses, all attached to the same public key. Does this mean I have several SIGNING keys, or several DEcryption keys? How do other people use my extra UIDs? Can they pick one to use for encryption, and I must use the twin (private) key matching that UID to decrypt it? Why would I want to create new 'subkeys?' Of what benefit to have, say 5 subkeys belonging to one (master)(private)(signing) key? What do the letters to the right of the words usage mean? (S,C,A,E) I can only guess |S|ign, |E|ncrypt, ## fel...@cheetah:/tmp/gpg-kWzpHj gpg --edit boyd gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/48C1382F created: 2000-08-19 expires: never usage: SCA trust: unknown validity: unknown sub 1024g/02B5A402 created: 2000-08-19 expires: never usage: E [ unknown] (1). Colin Boyd c.b...@xx.xx.xx Command ## Sorry if this sounds elementary/trivial. I am new to PKI, and encryption, etc. I have read through GNUPG gettingstarted manual, and been reading this list for nearly 1 week. If I have more questions, I hope you don't mind I ask them here. Thank you Felipe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Import all keys from signatures
Hi, i'm just had some trouble with my keyrings and after all recovery etc. a lot of keys I earlier received are gone. But a lot of them are named in the sigs of my own key. Is there a possibility to read out all key-IDs from the sigs and import the related keys from a keyserver? Maybe someone here wrote a script or so? I'm using WinXP and Ubuntu on the same keyring, so OS is not really relevant. Thanks in advance! Dirk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trying to understand UID and subkeys
On Mar 5, 2009, at 4:22 AM, Felipe Alvarez wrote: Me again. Sorry to sound newbish. I've googled, but I haven't found anything quite as detailed enough for me to grasp the 'whole forest' (so to speak). My question is regarding 'subkeys.' Let me know if I am getting the wording/terminology incorrect. I understand that when I 'gen-key' I create a 'signing' key (to identify tampering/modification) and an 'encryption' key (shouldn't this be a DEcryption key? Wouldn't I use this for DEcrypting docs encrypted with my public key? But I digress). I am also able to add extra UIDs to my public key, so I can have, say 4 different email addresses, all attached to the same public key. Does this mean I have several SIGNING keys, or several DEcryption keys? Neither. It means you have 4 different ways other people can find your key. An OpenPGP key is made up of a pile of keys (a primary key plus some number of subkeys) and a pile of user IDs. Any of the user IDs can be used to locate the key as a whole. Sometimes people set different preferences (essentially hints to the sender on how to encrypt data) on different user IDs, but the key that they encrypt to, and thus the key that you decrypt with, remains the same. Why would I want to create new 'subkeys?' Of what benefit to have, say 5 subkeys belonging to one (master)(private)(signing) key? One reason is to have different keys for different purposes. You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most valuable key (since it can make more subkeys), so protecting it is a good idea. What do the letters to the right of the words usage mean? (S,C,A,E) I can only guess |S|ign, |E|ncrypt, (S)ign: sign some data (like a file) (C)ertify: sign a key (this is called certification) (A)uthenticate: authenticate yourself to a computer (for example, logging in) (E)ncrypt: encrypt data David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Import all keys from signatures
On Mar 5, 2009, at 4:48 AM, Dirk Zemisch wrote: Hi, i'm just had some trouble with my keyrings and after all recovery etc. a lot of keys I earlier received are gone. But a lot of them are named in the sigs of my own key. Is there a possibility to read out all key-IDs from the sigs and import the related keys from a keyserver? Maybe someone here wrote a script or so? I'm using WinXP and Ubuntu on the same keyring, so OS is not really relevant. Sure. On the Ubuntu system, do this: gpg --recv-keys `gpg --with-colons --list-sigs YOUR-KEY-ID-HERE | egrep '^sig' | cut -d: -f5 | uniq` David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trying to understand UID and subkeys
David Shaw wrote, in part: You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most valuable key (since it can make more subkeys), Question # 1: does primary key here mean primary PUBLIC key? Question # 2: without the pass phrase, how can one make more subkeys? Question # 3: what determines that a key is a primary key? (is it because --gen-key was used instead of --edit-key?) Question # 4: by offline, do you mean not on a keyserver? (versus not on your local hard disk?) Thank you. Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trying to understand UID and subkeys
On Thu, Mar 05, 2009 at 12:14:24PM -0500, gerry_lowry (alliston ontario canada) wrote: David Shaw wrote, in part: You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most valuable key (since it can make more subkeys), Question # 1: does primary key here mean primary PUBLIC key? No. Primary secret key. There is no risk in keeping a primary public key online. It's public already. Question # 2: without the pass phrase, how can one make more subkeys? You cannot. To make more subkeys you need both the passphrase and the primary secret key. Question # 3: what determines that a key is a primary key? (is it because --gen-key was used instead of --edit-key?) Essentially, yes. --gen-key always makes a primary key. If you accept the default, it also makes you a single subkey. You can add more subkeys to it later via --edit-key. Question # 4: by offline, do you mean not on a keyserver? (versus not on your local hard disk?) By offline I mean not even on your local hard disk. Offline, say, on a USB flash disk, or a CD-R. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trying to understand UID and subkeys
On Thursday, March 05, 2009, at 10:14AM, gerry_lowry (alliston ontario canada) gerry.lo...@abilitybusinesscomputerservices.com wrote: David Shaw wrote, in part: You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most valuable key (since it can make more subkeys), Question # 1: does primary key here mean primary PUBLIC key? Question # 2: without the pass phrase, how can one make more subkeys? Question # 3: what determines that a key is a primary key? (is it because --gen-key was used instead of --edit-key?) Question # 4: by offline, do you mean not on a keyserver? (versus not on your local hard disk?) Hi Gerry, When someone is referring to a key they are typically referring to a key pair -- both public and private. Your primary key and various subkeys are all keypairs. Public keys are used for encryption and verifying digital signatures. Private keys are used for decryption, creating digital signatures, and for signing other keys. A subkey (keypair) that is flagged for encryption will have both public and private components. Joe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
