Page MenuHome GnuPG

tsign domain not documented
Open, LowPublic


When doing a 'tsign' in --edit-key, gpg says

Please enter a domain to restrict this signature, or enter for none.

The meaning of this does not appear to be documented.



Event Timeline

clint added projects: gnupg, Bug Report.
clint added a subscriber: clint.
werner lowered the priority of this task from Normal to Low.Mar 17 2016, 3:18 PM
werner added a project: Documentation.

I have added this note to the description of the tsign command in the gpg man
page from master (2.1). Won't be changed for 1.4.

+ or groups. For more information please read the sections
+ `Trust Signature'' and `Regular Expression'' in RFC-4880.

(domain means the domain part of the mail address).

I'm not convinced that the +-prefixed lines address clint's concern.

In particular, the parenthetical remark "(domain means the domain part of the
mail address)" is the important bit -- will this be documented somewhere?

If someone comes up with a brief description on how to use it, we can add it.

marcus claimed this task.
marcus added a subscriber: marcus.

Nobody provided a better description, so I am closing here. Of course, we can still add one if somebody wants to improve it.

I don't think this issue is actually resolved. there's a feature here (i think) but it's not documented to the point where anyone can figure out how to use it. If there's no way to use it, the feature should be removed (or at least deprecated).

in monkeysphere-authentication(8), we use tsigs internally, and their use is documented with the following description of the domain option:

Using the `-n' or `--domain' option
allows  you  to  indicate that you only trust the given KEYID to
make identifications within a specific domain (e.g. "trust KEYID
to  certify user identities within the domain").

Is this correct? the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently (and it's not covered by the monkeysphere test suite). I don't see tsigs included in the gpg test suite either (though i might be missing them someplace). Are tsigs included in any test suite?

Is this correct?

Yes. However...

the underlying implementation relies on GnuPG doing what i think is intended here, but i haven't tested it recently

I don't know for GnuPG 1.x, but with GnuPG 2.1 trust signature domain restrictions actually do not work as expected, because of T2923.

My point is that without clear documentation of what is expected, it's pretty hard to tell whether the code is even working or not. Sounds like it isn't :(

marcus updated the task description. (Show Details)