the best signature type someone can give me

David Shaw dshaw at
Tue Nov 1 16:51:10 CET 2005

On Tue, Nov 01, 2005 at 03:52:19PM +0100, Christoph Anton Mitterer wrote:

> Example:
> me->(tsign_1)->root_CA
> root_ca->(sign)->president
> root_ca->(tsign-x)->sub_CA
> =>root_ca and president is valid to me
> =>sub_CA is vaild too but nothing that sub_CA signs/tsigns is vaild for me
> Example:
> me->(tsign_2)->root_CA
> root_ca->(sign)->president
> root_ca->(tsign-1)->sub_CA_A
> root_ca->(tsign-2)->sub_CA_B
> sub_CA_A->(sign)->bill
> sub_CA_B->(tsign-1)->sub_sub_CA_B_A
> sub_sub_CA_B_A->sign->joe
> president->sign->mike
> =>root_CA, president, sub_CA_A, sub_CA_B are vaild to me
> =>bill is vaild too as root_CA makes sub_CA_A to an trusted introducer 
> for me (with the level 1 tsign)
> =>sub_sub_CA_B_A itself is valid too for me
> =>joe is NOT vaild for me, even sub_sub_CA_B_A got an level-1-tsign from 
> sub_CA_B which got an (!!) level-2-tsign from root_CA which would be ok 
> => BUT I gave root_CA only a level-2-sign so third and higher level 
> introducers (like sub_sub_CA_B_A is one) do not count for me
> =>mike is not vaild for me, too. even the levels for him would have been 
> ok,.. BUT president hasn't an tsign-x signature from the root
> Everything correct so far?

Exactly.  You've got it.

> What is the difference if I use FULLY or MARGINAL with tsigns?

It means the same thing as it does with regular sign.  You need 1 full
paths or 3 marginal paths (by default) to make a UID valid.  If you
use MARGINAL with tsign, then it just means you need two other paths
before the UID becomes valid.  You can set the parameters you want to
use with "completes-needed" and "marginals-needed" in gpg.conf.


More information about the Gnupg-users mailing list