signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at jabberwocky.com
Thu Dec 30 22:27:51 CET 2004


On Thu, Dec 30, 2004 at 04:12:45PM -0500, Atom 'Smasher' wrote:
> On Thu, 30 Dec 2004, David Shaw wrote:
> 
> > Both GnuPG and PGP do more or less the same thing here.  You can import 
> > keys freely, but such keys will remain invalid until there is a valid 
> > trust path to the key.  Invalid keys are usable, but you get some 
> > variation of the "are you sure?" message before you can use the key.
> ====================
> 
> i don't recall PGP(tm) having the option of "are you sure" for an unsigned 
> key, but i didn't spend much time with it. i was left with the impression 
> that the key couldn't be used unless it had a signature.

It depends how you are using PGP, I guess.  I imagine some plugins may
restrict more, but the regular "PGPmail" application lets you encrypt
to any key you like.  It just grays out invalid keys, but they are
still usable.

> > If there is no valid trust path to the key, and you want to make it 
> > valid (say, if you want to trust signatures issued by it, as in the case 
> > of the GD key), then you need to sign or locally sign the key yourself. 
> > PGP's "Sign" command actually defaults to local signing. You need to 
> > make an explicit action (check a check box) to make it a regular 
> > exportable signature.  Note that I'm speaking about PGP 8 here, though I 
> > seem to recall that PGP 7 was the same.
> =====================
> 
> one can also use edit-key and assign ultimate trust to a key, which will 
> make it trusted without a signature.

Yes.  PGP differs on this point - you can only make a key ultimately
trusted if you have both the public and secret parts.  GnuPG lets you
make any key ultimately trusted.  I like the GnuPG method better since
some people keep their secret keys offline.

David



More information about the Gnupg-users mailing list