min-cert-level and lsigs

Peter Palfrader gnupg-devel=gnupg.org at lists.palfrader.org
Tue Feb 8 01:08:02 CET 2005


On Mon, 07 Feb 2005, David Shaw wrote:
> On Mon, Feb 07, 2005 at 07:28:14AM +0100, Peter Palfrader wrote:
> > I have signed several keys locally with lsigs, usually at cert level 1
> > 
> > Is there a way to accept local signatures regardless of certlevel, while
> > still ignoring 0x11 signatures by other people?
> 
> > Should there be?
> 
> That's a harder question.  On the one hand, this change would make
> local sigs different trust-wise than exportable sigs, which is
> messier.  On the other hand, the whole point of local sigs is that
> they are like a note from yourself, so they should be accepted
> regardless of their class.  Then you get into questions about whether
> it violates expectations and so on.
> 
> What do you think?

Hmm.  I agree that handling lsigs differently from exportable sigs
probably is not the right solution.  It would very likely strike me as
odd that GnuPG accepted my lsig x11 on key foo and make it valid, but
when I sign key bar with an exportable sig x11 then it's like a no-op
for the trust metrics.

So maybe the solution is to accept signatures regardless of their class
from implictly trusted keys?  It might not be what users expect but it
might just end up having the best behaviour.

-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/



More information about the Gnupg-devel mailing list