no-ask-cert-level, default-cert-level, and keysigning
dshaw at jabberwocky.com
Mon Nov 28 05:02:52 CET 2005
On Sun, Nov 27, 2005 at 06:04:56PM -0700, Bob Proulx wrote:
> I recently signed a key using gpg-1.4.1 and see that (at least on my
> Debian Sarge system) no-ask-cert-level apears to be the default
> default-cert-level is "0 (no particular claim)".
> In the old days I remember it would always ask this question upon
> signing and so assume the default must have been ask-cert-level. Now
> it does not ask and unless you add that option ahead of time it will
> create a signature without any claim. I have been out of touch and
> thought I would ask about the current status of these levels in a
> signed key. I would appreciate the education.
You pretty much summarized it. --ask-cert-level turns on the
question. If you don't have the question turned on, GPG will use the
value from --default-cert-level, which defaults to 0.
> If a key has been signed with a default-cert-level of 0 is it possible
> to go back and edit the key signature and increase the level on a key?
> I could not find a way to do this. The best I could find was to
> delete the key plus signature and sign it again using a different
> level. Of course that worked.
That is the only way to do it. The cert level is part of the
signature, and thus changing it requires issuing a new signature.
> Is this cert level no longer considered useful? Should I not include
> a cert level with keys I sign now? Or should we always add that
> option when signing a key? What is the standard proceedure?
It's a matter of personal taste, really. Some people like it, and
some don't. It doesn't make much difference in practice since (unless
you're issuing level 1 sigatures, which are ignored by default), all
signature levels (or 0) are treated the same.
More information about the Gnupg-users