Import of trustpaths

C. Hackenschmidt
Mon Jun 30 11:38:03 2003

> Chris H. wrote:
> > I have the following trustpath
> >
> > RootCA
> > > SubCA
> > >> User1/2/3/etc.
> >
> > where
> > - RootCA signed the SubCA as a trusted introducer
> > - SubCA signed the users
> >
> > If I'm now going to import the pub keys of the RootCA,
> SubCA, and the
> > users and if I sign the RootCA as a Metaintroducer, all the other
> > keys(SubCA, User1/2/3/etc.) should become valid. At least 
> that's what
> > it does with my PGP client.
> >
> > But if I import them into my GPG keyring I still have to sign every
> > single key manually. Btw attached is the file with my Testkeys.
> >
> > I might be completely stupid but I can't get this to work. Once I
> > signed the RootCA and trust it fully the other keys still 
> don't become
> > valid although they're signed as stated above.
> >
> > What am I doing wrong?

Eugene S. wrote:

> The "Metaintroducer" signature that you made using PGP is not
> exportable. IOW, when you import it into GPG, there is no 
> siganture from User1/2/3/etc. to RootCA in the file to import 
> into GPG. Even if you imported it into User4 under PGP there 
> would be no sig.
> After importing it into GPG you need to sign RootCA using
> "--lsign-key" which signs a key locally, IOW non-exportable.

Yeah, I know about that having to sign the root but once I signed it the
whole trustpath should work, right? But if sign and trust the RootCA the
UserCA/SubCA becomes valid but not the users itself, same if I sign the
SubCA then all users become valid. But I want this done in one step. 

David S. wrote:

> Did you run 'gpg --update-trustdb' after you signed the 
> RootCA key? GnuPG does this automatically by default, but 
> some people have the automatic update turned off.

And if I do that I still have to go through all the keys manually.

Actually what I want is all this done by just signing the Root CA key
and nothing else.

Anyone could test this with the demo .asc-file I sent in my first mail?