[Q] "sign" vs "sign-locally"

Eddie Roosenmaallen eroosenmaallen@cogeco.ca
Thu May 29 02:42:02 2003

Hash: SHA1

(bottom-posted, unusual for me)

Joseph Bruni wrote:
> When you sign a key, you vouch for its authenticity. Your signature,
> being ultimately trusted, bestows validity to the key. Your signature is
> exported whenever you export this public key and pass it on to someone
> else. When you locally sign the key, your signature is not exported, but
> the key is still considered valid as far as you are concerned.

To expand on Joseph's point, when you regularily "sign" a key, the signature
is exported with the key. This means that if you then send the key to a
keyserver, others downloading it will see your signature on the key. If they
assign a level of trust to *your* key, then your signature adds a level of
validity to the key, even if the person receiving it has not personally
verified it.

If you "locally sign" a key, your signature is not exported; it is only for
you. That way, your sig never affects the validity of the key on someone
else's keyring.

  Eddie Roosenmaallen

- --
OpenPGP KeyID: 0xCC1aCD05
Get my key from keyserver.kjsl.com
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org