no-ask-cert-level, default-cert-level, and keysigning

David Shaw dshaw at
Mon Nov 28 05:02:52 CET 2005

On Sun, Nov 27, 2005 at 06:04:56PM -0700, Bob Proulx wrote:
> I recently signed a key using gpg-1.4.1 and see that (at least on my
> Debian Sarge system) no-ask-cert-level apears to be the default
> default-cert-level is "0 (no particular claim)".


> In the old days I remember it would always ask this question upon
> signing and so assume the default must have been ask-cert-level.  Now
> it does not ask and unless you add that option ahead of time it will
> create a signature without any claim.  I have been out of touch and
> thought I would ask about the current status of these levels in a
> signed key.  I would appreciate the education.

You pretty much summarized it.  --ask-cert-level turns on the
question.  If you don't have the question turned on, GPG will use the
value from --default-cert-level, which defaults to 0.

> If a key has been signed with a default-cert-level of 0 is it possible
> to go back and edit the key signature and increase the level on a key?
> I could not find a way to do this.  The best I could find was to
> delete the key plus signature and sign it again using a different
> level.  Of course that worked.

That is the only way to do it.  The cert level is part of the
signature, and thus changing it requires issuing a new signature.

> Is this cert level no longer considered useful?  Should I not include
> a cert level with keys I sign now?  Or should we always add that
> option when signing a key?  What is the standard proceedure?

It's a matter of personal taste, really.  Some people like it, and
some don't.  It doesn't make much difference in practice since (unless
you're issuing level 1 sigatures, which are ignored by default), all
signature levels (or 0) are treated the same.


More information about the Gnupg-users mailing list