How trust works in gpg...
dshaw at jabberwocky.com
Mon Apr 14 23:55:43 CEST 2008
On Mon, Apr 14, 2008 at 10:05:58PM +0100, Peter Lewis wrote:
> Hi there,
> Firstly, apolgies if this is a simple query. I didn't get the answer though
> from reading the manual.
> My friend and I signed each others' keys last week. However, since then he has
> added another UID with his work email address to his key. This showed up in
> my keyring when I sync'ed with the keyserver. This was after I had signed his
> key. However his new UID is not shown as trusted by me, even though he has
> signed his new UID with his key, which I have in turn also signed.
> Is this supposed to happen?
Yes. It's fairly common to say "I signed a key", but in reality,
you're signing a UID on a key. Thus, the UID that you signed is
marked as valid, but the UID you didn't sign isn't. If you want that
UID to be valid as well, you need to sign it too.
More information about the Gnupg-users