trusting an imported key which is the only key in a ring?

Frank Tobin
Wed, 8 Mar 2000 18:28:30 -0600 (CST)

Hash: SHA1

Robert Forsman, at 17:01 -0500 on Wed, 8 Mar 2000, wrote:

> I have managed to mark it as trusted by creating a DSA key (argh) and then
> signing the beaver-alpha public key with argh. Then it is trusted. I can
> subsequently delete key argh and beaver-alpha is still trusted. this is
> what leads me to believe that I should be able to create trust without
> having to create a local key (since I would have to do that on several
> thousand machines).
While I do not have a great answer to this situation, I feel it is an interesting predicament that needs to be looked at. I agree that one should not have to have a local secret key in order to initiate the validity/trust tree. True, one could have a throw-away local key to start the tree, and just sign keys locally, but this is cumbersome and among other things, requires the key to be generated, which can be an undesirable process. It also undesirably requires another file to hold the secret key (I'm not concerned about 'space' here but 'cleanness' and 'minimal-packaging'). Perhaps what is needed is for each user to have an maximally insecure, unprotected, (virtually blank) 'dumby', non-exportable secret key which is used solely for the purpose of initiating validity trees. This could take the form of an option, say "--trust-key 0x000000" (note I don't know if this key ID is even valid). A user could then use '--lsign' and friends to initiate validity. Perhaps there are reserved key ID's in OpenPGP that I haven't noticed that GnuPG could use locally for this purpose. - -- Frank Tobin "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: pgpenvelope - iEYEARECAAYFAjjG8DoACgkQVv/RCiYMT6MAxwCeJ8yXORnfJzJf/8YHzwMDSb33 WTsAoIEjhwn7HhjW28OjFS4N8fA3e4BG =f3xN -----END PGP SIGNATURE-----