Re: basic identity mgmt

Mon, 11 Jan 2016 04:45:10 -0800 

On 01/10/2016 11:01 PM, Full Name wrote:

Do I have to sign it?  Is there no way to configure gpg locally to
say "the info in this key (fingerprint) is accurate", without having
 to sign?


If you are using the default trust model ("pgp"), no. In this model, the
validity of a key is only determined by its signatures.

If you are using GnuPG 2.1.10, you could have a look at the "tofu" or
"tofu+pgp" trust models, which allow you to do something like this:

   gpg2 --tofu-policy good 0xKEYID

to say that the specified key is fully valid.



Is the semantics of signing with lsign or sign "the info in this key
 is accurate"?


Yes. "Signing" (or, more accurately, "certifying") a key roughly means

"I certify that this public key belongs to the person correctly 
identified in the User ID".




Is this separate from the "trust" thing, which is for trusting this
key to certify others?


This is completely separate. Unfortunately, the word or verb "trust" is

sometimes used to refer to the *validity* of a key (as in the sentence 
"I *trust* that this key belongs to the person specified in the User ID").




When I had first signed an imported key, it showed "trust: unknown".
But when I did "trust", then "1 = I don't know or won't say", it
showed "trust: undefined".  What is the difference between these two
values?


"Unknown" means that no trust has yet been explicitly assigned to the
key; "undefined" means you explicitly said that you didn't know how much
to trust the key. Both values imply that any certification emitted by
this key will be ignored.



Am I right in thinking it's the "validity" field which is affected by
"sign"?


Yes. In the "classic" or "pgp" trust models, the validity of a key is
calculated by looking at the certifications carried by that key.

By signing the key, you add to it a certification emitted by your own
key; since your key has ultimate trust, that certification is enough to
fully validate the target key.


Damien




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users






















					Reply via email to