On 6/22/10 12:25 AM, Daniel Kahn Gillmor wrote: > On 06/21/2010 06:32 PM, David Shaw wrote: >> On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: >> >>> I see that there is currently the import-option "import-local-sigs" >>> which obviously allows the import of key-signatures marked non-exportable. >>> >>> It seems to me that it would be helpful to have a variant of this, which >>> would only allow import of local signatures where the corresponding >>> secret key was already available, and for this behavior to be the default. >> >> Not only is it reasonable, it is already the case :) > > Why is it more reasonable to auto-import local signatures if the secret > key of the issuer is available than otherwise? > > I'm trying to understand the use case that you guys both seem to have > intuitively picked up. Some of the common use cases i've seen for > non-exportable sigs definitely do *not* have people importing them from > keys they control, so i'm not seeing why it's a special case. > > Can you help me understand? >
To me a local sig is basically saying, "I'm signing this key as a convenience, but I haven't done proper verification, so I'm not going to publicly vouch for this key." In that case, the only local sigs I can trust are the ones that I myself created. And if I have the public key that's a pretty good indication that the local signature came from me.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
