tsign domain not documented
Open, LowPublic


When doing a 'tsign' in --edit-key, gpg says

Please enter a domain to restrict this signature, or enter for none.

The meaning of this does not appear to be documented.


clint set Version to 1.4.20.Mar 12 2016, 12:32 AM
clint added projects: gnupg, Bug Report.
clint added a subscriber: clint.
werner lowered the priority of this task from Normal to Low.
werner added a subscriber: werner.Apr 8 2016, 9:51 AM

I have added this note to the description of the tsign command in the gpg man
page from master (2.1). Won't be changed for 1.4.

+ or groups. For more information please read the sections
+ `Trust Signature'' and `Regular Expression'' in RFC-4880.

(domain means the domain part of the mail address).

dkg added a subscriber: dkg.Apr 12 2016, 2:03 AM

I'm not convinced that the +-prefixed lines address clint's concern.

In particular, the parenthetical remark "(domain means the domain part of the
mail address)" is the important bit -- will this be documented somewhere?

If someone comes up with a brief description on how to use it, we can add it.

marcus closed this task as Resolved.Jul 13 2017, 4:39 PM
marcus claimed this task.
marcus added a subscriber: marcus.

Nobody provided a better description, so I am closing here. Of course, we can still add one if somebody wants to improve it.

dkg reopened this task as Open.Jul 14 2017, 12:04 PM

I don't think this issue is actually resolved. there's a feature here (i think) but it's not documented to the point where anyone can figure out how to use it. If there's no way to use it, the feature should be removed (or at least deprecated).

in monkeysphere-authentication(8), we use tsigs internally, and their use is documented with the following description of the domain option:

Using the `-n' or `--domain' option
allows  you  to  indicate that you only trust the given KEYID to
make identifications within a specific domain (e.g. "trust KEYID
to  certify user identities within the @example.org domain").

Is this correct? the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently (and it's not covered by the monkeysphere test suite). I don't see tsigs included in the gpg test suite either (though i might be missing them someplace). Are tsigs included in any test suite?

Is this correct?

Yes. However...

the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently

I don't know for GnuPG 1.x, but with GnuPG 2.1 trust signature domain restrictions actually do not work as expected, because of T2923.

dkg added a comment.Jul 14 2017, 12:21 PM

My point is that without clear documentation of what is expected, it's pretty hard to tell whether the code is even working or not. Sounds like it isn't :(

marcus removed marcus as the assignee of this task.Jul 17 2017, 5:27 PM
marcus updated the task description. (Show Details)