[Q] "sign" vs "sign-locally"

Graham graham.todd2@ntlworld.com
Sat May 31 09:57:02 2003

Hash: SHA1

On Wednesday 28 May 2003 11:00 pm, Daniel Carrera wrote:

> Hi all,
> I just realized that there are two ways of signing a key.  You can
> "sign" it, or sign it it "locally".  What's the difference?

This is the equivalent of the exportable signature and non-exportable=20
signature in PGP.  If you locally sign a key that signature cannot be=20
exported to another person or keyserver: in other words, it is a method=20
of allocating trust to a key on your keyring only.

> If I understand correctly, your signing a key means that you are
> confident that the key belongs to the person you think it does.  So,
> for instance, I could meet the person face-to-face and get his or her
> key ID for verification.

Correct, and this in fact the purpose of "key signing parties".

> I've looked at the man page.  I think that "sign" is what I just
> described in the above paragraph.  But I'm not sure I understand how
> "sign-locally" is different.

If you sign a key and then export the key, the signature goes with that=20
key.  If you locally sign the key and export it, the signature does not=20
go with the key.

> Also, why would I ever want to sign a key "non-revocably"?

Some keys are used for specific purposes, and one such purpose could be=20
to sign documents.  Having a non-revocable key stops anybody revoking=20
that key and therefore stops the invalidation of the documents.

- --=20

GPG keys at: gpg.keys@ntlworld.com

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Please sign and encrypt for internet privacy