signing a robot's key - was: Re: Global Directory signatures
David Shaw
dshaw at jabberwocky.com
Thu Dec 30 22:27:51 CET 2004
On Thu, Dec 30, 2004 at 04:12:45PM -0500, Atom 'Smasher' wrote:
> On Thu, 30 Dec 2004, David Shaw wrote:
>
> > Both GnuPG and PGP do more or less the same thing here. You can import
> > keys freely, but such keys will remain invalid until there is a valid
> > trust path to the key. Invalid keys are usable, but you get some
> > variation of the "are you sure?" message before you can use the key.
> ====================
>
> i don't recall PGP(tm) having the option of "are you sure" for an unsigned
> key, but i didn't spend much time with it. i was left with the impression
> that the key couldn't be used unless it had a signature.
It depends how you are using PGP, I guess. I imagine some plugins may
restrict more, but the regular "PGPmail" application lets you encrypt
to any key you like. It just grays out invalid keys, but they are
still usable.
> > If there is no valid trust path to the key, and you want to make it
> > valid (say, if you want to trust signatures issued by it, as in the case
> > of the GD key), then you need to sign or locally sign the key yourself.
> > PGP's "Sign" command actually defaults to local signing. You need to
> > make an explicit action (check a check box) to make it a regular
> > exportable signature. Note that I'm speaking about PGP 8 here, though I
> > seem to recall that PGP 7 was the same.
> =====================
>
> one can also use edit-key and assign ultimate trust to a key, which will
> make it trusted without a signature.
Yes. PGP differs on this point - you can only make a key ultimately
trusted if you have both the public and secret parts. GnuPG lets you
make any key ultimately trusted. I like the GnuPG method better since
some people keep their secret keys offline.
David
More information about the Gnupg-users
mailing list