The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


OpenPGP Identity Structure

An OpenPGP identity1) contains the information that you give to others to allow them to verify signed messages/files from you and encrypt messages/files to you. It often comes in the form of file.

It more or less looks like this:

The Certification Public Key is the root of your OpenPGP identity. You have a corresponding certification secret key that only you have access to. You use this certification secret key to sign the parts of the OpenPGP identity. Then others can use the “Certification Public Key” to verify that the signatures are yours. These signatures are used to tie the parts of your OpenPGP identity together.

Each signature represents your assertion that the thing being signed is a valid part of your identity. There are two things so signed in the diagram:

The Encryption Public Key is used by others to encrypt things that only you can decrypt. Your signature certifies that this is the correct key for that purpose. Otherwise the wrong key might be used which could allow people other than you to decrypt those things.

The User ID is by tradition a name, an email address and an optional comment. Your signature certifies that it represents you in some sense. It is an important convenience that allows you and others to link the OpenPGP identity to your name and, where applicable, your email address. It also contains a Preference List that is also locked to the OpenPGP identity. You can have as many of these as you want to allow the use of this OpenPGP identity in different contexts with different names, email addresses and preferences. Some of the preferences are cryptographic and must exist to prevent downgrade attacks. As a result, at least one User ID is mandatory in an OpenPGP identity.

The Certification Public Key takes the form of a very large/long number. For convenience a Shortener is used to create a shorter number from that large/long number called a Fingerprint. This Fingerprint is further shortened by the use of letters in addition to the traditional ten digits. You can ask someone to show or tell you that number to verify that they have the OpenPGP identity that you want them to use. After that verification then that someone can be confident that any declarations you have made through the use of signatures are legitimate. That means they can can be confident that the User ID(s) and Encryption Public Key belong to you even if they did not get the OpenPGP identity from you in person.

The Certification Public Key is usually also used to sign things like documents, files and messages but sometimes there is a separate signing key in the identity used for those signatures. The separate signing key will then be locked to the OpenPGP identity with a signature from the Certification Public key as seen with the User ID and Encryption Public Key.


Often called a “PGP Public Key”, but the term is confusing in more than one way in this context.
pgpfan/identstruct.txt · Last modified: 2021/06/05 00:39 by b.walzer