On Tuesday 15 April 2008 at 15:05:45 Sven Radde wrote: > Signing a new UID with the same key that was used to sign another UID > proves that the same person that created the first UID created the > second one. > It does not prove that the person controls (or, is identified by) the > second UID. > > As I said before: If you trust my key, I could simply add "Stan Tobias > <[EMAIL PROTECTED]>" as UID to my key. > If this new UID was trusted immediately, you would use *my* key to > encrypt emails intended to go to Stan..! > > The crucial thing is connecting the person identified by a UID with a > private key. > This is what is meant by "trust" in a UID and in OpenPGP, this trust is > expressed by signing the UID with your key.
Right, that makes sense now. Thanks everyone for the help - I think I was rather confused about the differences and connections between "validity", "trust" and "ownertrust": On Tuesday 15 April 2008 at 15:56:59 Sven Radde wrote: > To me it looks like the two "trust" concepts of GnuPG are somewhat > intermingled in this discussion: > - First, there's the "trust" in a UID which means that you trust the > assiciation betweed the key and the person identified by the UID. This > is usually expressed by signing the UID in question. Another term would > be "validity" of the key, IIRC. > - Second, there's the "owner trust" assigned to a key, meaning that you > trust that the key's owner, before signing other UIDs has made > reasonable checks to the "trust" defined above. Default for this kind of > trust is AFAIK "none", and you may manually set it to "marginal" or > "full". You can then configure GnuPG to consider UIDs valid (i.e. you > yourself "trust" them according to the first definition) when a certain > number of "marginally" and/or "fully" trusted signatures already have > been made on that UID. Yes, that's what I now understand :-) Please excuse one final question: I have signed keys with one person (A), whom I trust fully, and he has signed keys with another person (B), whom I know, but with whom I have not signed keys. B's key is (correctly) showing as *valid*. Should I still wait until I can check his identity using the photo-id and fingerprint, or is this now good enough for me to sign B's key? I wouldn't have thought so, but I just want to make sure I'm absolutely clear about this stuff. Thanks again, Pete.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
