Menu

Why are "certificates" needed, if the GNU Privacy Guards already supports signing?

Enigmail Support
Martin Vahi
2016-02-15
2016-02-15

  • Martin Vahi

    Martin Vahi - 2016-02-15

    Could someone please explain, why is there
    another layer of containers used for signing
    outgoing e-mail, generally called as "certificates", if
    e-mail can be signed by using the GNU Privacy Guard and
    my secret key?

    This question emanates from the fact that
    the key manager at Thunderbird-Enigmail is
    capable of using the system GNU Privacy guard
    with my set of keys for decryption, but
    when I changed my key-pair due to the old one
    expiring, I ran to the nasty issue of
    figuring out, how to create a "certificate"
    to just sign my outgoing e-mails with the new
    key. For the old key I somehow figured it out,
    but it was years ago, but I remember that
    I was puzzled the same way back then, like,

    WHY A HELL DO I NEED TO GENERATE ANOTHER
    CONTAINER, a "certificate", IF I ALREADY
    HAVE THE GNU Privacy Guard private key and
    the Enigmail interfaces with the GNU Privacy Guard just fine?

    If that extra container is necessary due to
    some legacy reasons, dumb standards or something,
    then couldn't the Enigmail just automatically
    use the GNU Privacy Guard key pair and
    generate that wrapping container, the "certificate",
    and use it transparently without making the
    end users figure out, how to manually do
    some file conversions?

    May be I have totally misunderstood something,
    but this is my current (2016_02) understanding
    of the issue.

    Thank You for reading this letter,
    I hope to be thoroughly mistaken. :-D

     
    signature.asc

    • Rob

      Rob - 2016-02-15

      Could someone please explain, why is there
      another layer of containers used for signing
      outgoing e-mail, generally called as "certificates", if
      e-mail can be signed by using the GNU Privacy Guard and
      my secret key?

      Sure. You're getting confused by terminology. Most people talk about
      their public key or private key -- but that's incorrect language:
      they're really talking about their public or private certificates.
      (Their keys are just small bits of data embedded in their certificates.)

      You seem to think certificates are something new. They're not. You've
      been using them all this time. What you call your 'keypair' is really
      your certificate.

      Look through the official GnuPG FAQ and see how often it uses the term
      "key" and how it uses it -- then do the same for "certificate".

      https://www.gnupg.org/faq/gnupg-faq.html#define_key
      https://www.gnupg.org/faq/gnupg-faq.html#define_certificate

      WHY A HELL DO I NEED TO GENERATE ANOTHER
      CONTAINER, a "certificate", IF I ALREADY
      HAVE THE GNU Privacy Guard private key and
      the Enigmail interfaces with the GNU Privacy Guard just fine?

      If you have a certificate you've generated with GnuPG, Enigmail can use it.

       

Log in to post a comment.

MongoDB Logo MongoDB