trusting an imported key which is the only key in a ring?
Wed, 8 Mar 2000 18:28:30 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE-----
Robert Forsman, at 17:01 -0500 on Wed, 8 Mar 2000, wrote:
> I have managed to mark it as trusted by creating a DSA key (argh) and then
> signing the beaver-alpha public key with argh. Then it is trusted. I can
> subsequently delete key argh and beaver-alpha is still trusted. this is
> what leads me to believe that I should be able to create trust without
> having to create a local key (since I would have to do that on several
> thousand machines).
While I do not have a great answer to this situation, I feel it is an
interesting predicament that needs to be looked at. I agree that one
should not have to have a local secret key in order to initiate the
validity/trust tree. True, one could have a throw-away local key to start
the tree, and just sign keys locally, but this is cumbersome and among
other things, requires the key to be generated, which can be an
undesirable process. It also undesirably requires another file to hold
the secret key (I'm not concerned about 'space' here but 'cleanness' and
Perhaps what is needed is for each user to have an maximally insecure,
unprotected, (virtually blank) 'dumby', non-exportable secret key which is
used solely for the purpose of initiating validity trees. This could take
the form of an option, say "--trust-key 0x000000" (note I don't know if
this key ID is even valid). A user could then use '--lsign' and friends
to initiate validity.
Perhaps there are reserved key ID's in OpenPGP that I haven't noticed that
GnuPG could use locally for this purpose.
Frank Tobin http://www.neverending.org/~ftobin/
"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope - http://pgpenvelope.sourceforge.net/
-----END PGP SIGNATURE-----