[ Contents ]

11. Enhanced Key Formats

11.1. Key Structures

   The format of an OpenPGP V3 key is as follows.  Entries in square
   brackets are optional and ellipses indicate repetition.

	   RSA Public Key
	      [Revocation Self Signature]
	       User ID [Signature ...]
	      [User ID [Signature ...] ...]

   Each signature certifies the RSA public key and the preceding user
   ID. The RSA public key can have many user IDs and each user ID can
   have many signatures.

   The format of an OpenPGP V4 key that uses two public keys is similar
   except that the other keys are added to the end as 'subkeys' of the
   primary key.

	      [Revocation Self Signature]
	      [Direct Key Self Signature...]
	       User ID [Signature ...]
	      [User ID [Signature ...] ...]
	      [[Subkey [Binding-Signature-Revocation]
		      Primary-Key-Binding-Signature] ...]

   A subkey always has a single signature after it that is issued using
   the primary key to tie the two keys together.  This binding signature
   may be in either V3 or V4 format, but V4 is preferred, of course.

   In the above diagram, if the binding signature of a subkey has been
   revoked, the revoked binding signature may be removed, leaving only
   one signature.

   In a key that has a main key and subkeys, the primary key MUST be a
   key capable of signing. The subkeys may be keys of any other type.
   There may be other constructions of V4 keys, too. For example, there
   may be a single-key RSA key in V4 format, a DSA primary key with an
   RSA encryption key, or RSA primary key with an Elgamal subkey, etc.

   It is also possible to have a signature-only subkey. This permits a
   primary key that collects certifications (key signatures) but is used
   only used for certifying subkeys that are used for encryption and

11.2. Key IDs and Fingerprints

   For a V3 key, the eight-octet key ID consists of the low 64 bits of
   the public modulus of the RSA key.

   The fingerprint of a V3 key is formed by hashing the body (but not
   the two-octet length) of the MPIs that form the key material (public
   modulus n, followed by exponent e) with MD5.

   A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet
   Tag, followed by the two-octet packet length, followed by the entire
   Public Key packet starting with the version field.  The key ID is the
   low order 64 bits of the fingerprint.  Here are the fields of the
   hash material, with the example of a DSA key:

  a.1) 0x99 (1 octet)

  a.2) high order length octet of (b)-(f) (1 octet)

  a.3) low order length octet of (b)-(f) (1 octet)

    b) version number = 4 (1 octet);

    c) time stamp of key creation (4 octets);

    d) algorithm (1 octet): 17 = DSA (example);

    e) Algorithm specific fields.

   Algorithm Specific Fields for DSA keys (example):

  e.1) MPI of DSA prime p;

  e.2) MPI of DSA group order q (q is a prime divisor of p-1);

  e.3) MPI of DSA group generator g;

  e.4) MPI of DSA public key value y (= g**x where x is secret).

   Note that it is possible for there to be collisions of key IDs -- two
   different keys with the same key ID. Note that there is a much
   smaller, but still non-zero probability that two different keys have
   the same fingerprint.

   Also note that if V3 and V4 format keys share the same RSA key
   material, they will have different key ids as well as different

HTML conversion and comments on this are RFC are Copyright (c) 1998 Werner Koch, Remscheider Str. 22, 40215 Düsseldorf, Germany. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See here for copyright information on the RFC itself.

Updated: 1999-09-30 wkoch