How does trust work?
Thu, 24 Aug 2000 08:21:47 -0700 (PDT)
I don't know if this is the right forum for this but I would like to
start off by thanking the contributors to GNUPG. This program has
been much easier to understand and use than PGP for me.
I have read the documentation for GNUPG and experimented with it a
bit, and I have a good system established for using it as long as I
make sure that no more than one key exists for a given user and I
fully trust those keys.
I am trying to make the next step in the learning process, using the
trust database to simplify the acceptance of new keys. My first
experiment went as follows:
I received a public key from Jim, which he told me was his "auth
key". I verified the fingerprint over the phone, added it to my
keyring, signed it, marked it as fully trusted, and updated the trust
database. The auth key does not expire.
Jim periodically sends me a new "communications key", with the same
UID, and, of course, a different key id. These communications keys
regularly expire, before which time I will receive a new
communications key from Jim. I am to encrypt all messages to Jim with
the current communications key he has sent me. Supposedly, I need
only add his communications key to my keyring and it will be trusted.
As I understand the trust database, a trust path should exist between
my secret key and all of Jim's communications keys, since I have
signed a fully trusted key of his UID. However, when I attempt to
encrypt a message to Jim's communications key, I am always told by GPG
that, in fact, a valid trust path to this key does not exist. This
causes me to take the extra(disconcerting) step of telling GPG that I
know what I'm doing before it will encrypt the key.
Well, I don't know what I'm doing because I obviously don't understand
how to complete a trust path. I know I could sign his communications
keys and manually mark them trusted, but that would be cheating. Can
someone straighten me out here? Is this even a valid application of
the trust database?
TIA - Rich
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org