On 15/09/13 21:11, Philip Jägenstedt wrote: > In very concrete terms, how can I determine which keys I need to > import so that the GnuPG dist sig (4F25E3B6) has full validity?
There are two ways to answer this. One: Did you read my post from April I linked to? I know it sounds like self-promotion, but it's just to avoid repeating myself too much.I think you misunderstand what makes a key valid. In order for it to be valid, it needs to be signed by one or more valid keys that you have assigned some ownertrust. Signatures themselves can chain, but ownertrust does not. You cannot make a key valid by downloading other keys. It can only become valid by being directly signed by people (keys) you trust. The second answer: > In very concrete terms, how can I determine which keys I need to > import so that the GnuPG dist sig (4F25E3B6) has full validity? As far as I can see, there are two solutions: 1) Meet with the owner of the key, satisfy yourself that he or she is indeed the owner, and sign the key. 2) In the list of signatures on the key, look for someone you know and at least marginally trust to do proper verification of key ownership. You then assign this key a certain amount of ownertrust, plus you need to make this key itself valid. To make it valid, follow this process again: either meet up with this person, or look for a signature on their key by someone you know. There is a maximum depth to the second form of the solution. It can span no more than 5 hops from your own key by default (max-cert-depth). I'm afraid there are no automated solutions[1] because ownertrust is something you decide, and the computer doesn't know who you know. The only "automated solution" is that you have the key for everyone you know and somewhat trust on your keyring: that way, GnuPG will immediately do the right thing, and compute validity for the downloaded key if it can be done. HTH, Peter. [1] Again, I don't take trust signatures into account because they are no part of the normal Web of Trust. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
