Qual è il significato dell'output di --list-sigs di GnuPG?

9

gpg --list-sigs mi dà qualcosa come il seguente (ho modificato l'output solo per mostrare le righe interessanti / diverse):

pub   2048R/4ACE309C 2016-11-01
uid                  lala_test2 <[email protected]>
sig 3        4ACE309C 2016-11-01  lala_test2 <[email protected]>
uid                  test_key <[email protected]>
sig 3        4ACE309C 2016-11-01  lala_test2 <[email protected]>
sub   2048R/EA9FDC87 2016-11-01
sig          4ACE309C 2016-11-01  lala_test2 <[email protected]>
sig 2        03A9DA1F 2014-02-11  [User ID not found]
sig 3        5B51CBCF 2011-10-25  [User ID not found]
sig 3        06B47049 2011-10-26  [User ID not found]
sig 3        00C85EF1 2011-10-31  [User ID not found]
sig 3        5A4BEDCE 2011-10-06  [User ID not found]
sig        1 F2648165 2011-10-07  [User ID not found]
sig       X  CA57AD7C 2005-07-31  [User ID not found]
sig       X  CA57AD7C 2005-08-01  [User ID not found]
sig 2     X  DC79FAC9 2003-09-26  [User ID not found]
sig          7EE2682F 2016-06-03  [User ID not found]
rev          7EE2682F 2016-06-03  [User ID not found]

I tag nella prima colonna indicano:

  • pub - > chiave pubblica
  • uid - > ID utente
  • sig - > firma, da un'altra persona che afferma di fidarsi della chiave sotto il tag pub
  • sub - > sottochiave
  • rev - > è una firma la cui chiave è stata revocata dal firmatario?

2048R - > 2048 è la dimensione della chiave e R per RSA. C'è anche l'ID della chiave breve, la data di creazione, e l'ultimo è l'ID utente quando disponibile.

Che cosa significano i numeri in una riga sig dopo la prima colonna?

    
posta Lilás 01.11.2016 - 19:33
fonte

2 risposte

10

Livelli di certificazione

Esistono diverse classi di certificazioni. Citando RFC 4880, OpenPGP, 5.2.1. Tipi di firma :

[...]

0x10: Generic certification of a User ID and Public-Key packet.
   The issuer of this certification does not make any particular
   assertion as to how well the certifier has checked that the owner
   of the key is in fact the person described by the User ID.

0x11: Persona certification of a User ID and Public-Key packet.
   The issuer of this certification has not done any verification of
   the claim that the owner of this key is the User ID specified.

0x12: Casual certification of a User ID and Public-Key packet.
   The issuer of this certification has done some casual
   verification of the claim of identity.

0x13: Positive certification of a User ID and Public-Key packet.
   The issuer of this certification has done substantial
   verification of the claim of identity.

Most OpenPGP implementations make their "key signatures" as 0x10
certifications.  Some implementations can issue 0x11-0x13
certifications, but few differentiate between the types.

[...]

GnuPG visualizza le firme% "%" 0x10 come sig e le firme avanzate che distinguono tra diversi tipi di livelli di certificazione con un numero seguente: 0x11 come sig 1 , 0x12 come sig 2 e 0x13 come sig 3 . rev indica le firme revocate.

L'output di --list-sigs è anche spiegato dalle pagine di manuale di GnuPG ( man gpg ):

--list-sigs
    Same as --list-keys, but the signatures are listed too.  This command has the
    same effect as using --list-keys with --with-sig-list.

    For  each  signature listed, there are several flags in between the "sig" tag
    and keyid. These flags give additional information about each signature. From
    left  to  right,  they  are  the numbers 1-3 for certificate check level (see
    --ask-cert-level), "L" for a local or non-exportable signature (see  --lsign-
    key), "R" for a nonRevocable signature (see the --edit-key command "nrsign"),
    "P" for a signature that contains a policy URL (see  --cert-policy-url),  "N"
    for  a  signature  that contains a notation (see --cert-notation), "X" for an
    eXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T" for  10
    and  above  to  indicate  trust  signature levels (see the --edit-key command
    "tsign").

vaghezza

Nota anche il primo paragrafo della sezione delle specifiche, che indica che non esiste una definizione generale e rigida dei livelli di certificazione:

There are a number of possible meanings for a signature, which are indicated in a signature type octet in any given signature. Please note that the vagueness of these meanings is not a flaw, but a feature of the system. Because OpenPGP places final authority for validity upon the receiver of a signature, it may be that one signer's casual act might be more rigorous than some other authority's positive act. [...]

Per questo motivo, alcune persone pubblicano politiche di certificazione. Ho fornito alcune discussioni in Che cosa stai dicendo quando firmi una chiave PGP?

    
risposta data 01.11.2016 - 20:12
fonte
5

Cercando di chiarire alcuni dettagli del post di Jens Erat in lingua umana: " " => 0x00 Generic certification: does not make any particular ownership assertion "1" => 0x11 Persona certification: has not done any ownership verification "2" => 0x12 Casual certification: has done some identity verification "3" => 0x13 Positive certification: has done substantial identity verification

E ancora per la leggibilità: "L" for a Local or non-exportable signature (see --lsign- key) "R" for a non-Revocable signature (see --edit-key command "nrsign") "P" for a signature that contains a Policy URL (see --cert-policy-url) "N" for a signature that contains a Notation (see --cert-notation) "X" for an eXpired signature (see --ask-cert-expire) "T" or [1-9] indicate trust signature levels (see --edit-key command "tsign")

    
risposta data 09.05.2017 - 17:13
fonte

Leggi altre domande sui tag