10

When viewing a key record in a public key server, such as this one, there are lots of keywords used: sig, sig3, exp3, Policy, sbind…). I understand that "sig" probably means a signature, but what's the difference between a "sig" and a "sig3" and a "sbind"? And what exactly is a "Policy" record?

2 Answers2

9

In OpenPGP, signatures are used not only for documents, but also for certifications between primary keys with different levels of trust (sig, sig1, sig2, sig3; as hex codes 0x10-0x13 in this order) and several more internal stuff.

Signatures are also very important for binding subkeys to primary keys (and the other way round): these are displayed as sbind signatures by key servers, and a simple sig by GnuPG, and have signature types 0x18 and 0x19 in OpenPGP. User IDs are bound by "normal" certification signatures, also called self-signatures or selfsigs.

If for any reason you want to undo a signature, this is generally not possible (you cannot delete anything from the key server network). Instead, you again issue another kind of signature, a revocation of a key (0x20), revocation of a subkey (0x28) or revocation of a certificate (0x30). All of those will be displayed as revok by most key servers, and rev by GnuPG.

A certification policy displayed with the key word Policy drops out of this list, a little bit, as it does not denote another signature type, but is a signature subpacket describing a so-called certification policy. I already left a more detailed description in "What are you saying when you sign a PGP key?". Notations also describe a certification, and could for example be used to describe how the signer identified the signee.

The signature types are defined in RFC 4880, OpenPGP, 5.2.1. Signature Types, signature subpackets only a little bit further down in the same document.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • Jens, thanks a lot for the super detailed answer. I understand now that signatures (**sig***) are used for issuing certificates. One thing I still don't get is, why would one issue a certificate (`0x30`) in order to undo a signature? – Wladston Ferreira Filho Aug 07 '15 at 17:57
  • 1
    Technically, all of those are signatures; I (and others) prefer using the term _certification_ for signatures on keys. If you want to revoke a certification (thus, a signature on somebody else's key), you issue a new revocation (revocation signature), which tells "The previously issued certification is invalid". I think you misinterpreted my wording, which I slightly adjusted to hopefully remove ambiguity. – Jens Erat Aug 08 '15 at 09:24
0

There is a pretty good write up about PGP at Wikipedia.

According to the GPG manual (pgp for linux) under --check-sigs flag:

The status of the verification is indicated by a flag directly following the "sig" tag...

So, looking at that:

  • Sig3 means that another user has personally checked the fingerprint or key.
  • If it says Sig only the means another user hasn't personally checked [the] fingerprint or key. (They're not vouched for.)

Other records

sbind is the time where the username was bound to the key. Basically when the record was created. This may be impacted by a policy.

revok is where the binding was revoked, so the key is no longer valid.

Policy is a specific user's policy in regard to how they'll exchange communications, their terms for contact, (and how they won't).

AbsoluteƵERØ
  • 3,104
  • 17
  • 20