[pkg-gnupg-maint] Bug#817858: Bug#817858: gnupg: tsign domain not documented

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 11 21:42:40 UTC 2016


On Thu 2016-03-10 19:59:24 -0500, Clint Adams wrote:
> Package: gnupg
> Version: 1.4.18-7
>
> When doing a 'tsign' in --edit-key, gpg says
>
>     Please enter a domain to restrict this signature, or enter for none.
>
> The meaning of this does not appear to be documented.

fwiw, it means "limit this trust signature to only cover certifications
of User IDs with e-mail addresses that have the given domain after the @
sign"

So if i tsign admin at example.org's key X with a domain of "example.org",
then gpg will only be willing to rely on certifications from X over user
IDs of the form "blah blah <blah at example.org>"

This is implemented with a specific, custom regex as documented here:

 https://tools.ietf.org/html/rfc4880#section-5.2.3.14

This is the rough equivalent of "name-constrained" X.509 CAs.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160311/1c4d1dd3/attachment.sig>


More information about the pkg-gnupg-maint mailing list