When doing a 'tsign' in --edit-key, gpg says
Please enter a domain to restrict this signature, or enter for none.
The meaning of this does not appear to be documented.
When doing a 'tsign' in --edit-key, gpg says
Please enter a domain to restrict this signature, or enter for none.
The meaning of this does not appear to be documented.
I have added this note to the description of the tsign command in the gpg man
page from master (2.1). Won't be changed for 1.4.
+ or groups. For more information please read the sections
+ `Trust Signature'' and `Regular Expression'' in RFC-4880.
(domain means the domain part of the mail address).
I'm not convinced that the +-prefixed lines address clint's concern.
In particular, the parenthetical remark "(domain means the domain part of the
mail address)" is the important bit -- will this be documented somewhere?
Nobody provided a better description, so I am closing here. Of course, we can still add one if somebody wants to improve it.
I don't think this issue is actually resolved. there's a feature here (i think) but it's not documented to the point where anyone can figure out how to use it. If there's no way to use it, the feature should be removed (or at least deprecated).
in monkeysphere-authentication(8), we use tsigs internally, and their use is documented with the following description of the domain option:
Using the `-n' or `--domain' option allows you to indicate that you only trust the given KEYID to make identifications within a specific domain (e.g. "trust KEYID to certify user identities within the @example.org domain").
Is this correct? the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently (and it's not covered by the monkeysphere test suite). I don't see tsigs included in the gpg test suite either (though i might be missing them someplace). Are tsigs included in any test suite?
Is this correct?
Yes. However...
the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently
I don't know for GnuPG 1.x, but with GnuPG 2.1 trust signature domain restrictions actually do not work as expected, because of T2923.
My point is that without clear documentation of what is expected, it's pretty hard to tell whether the code is even working or not. Sounds like it isn't :(