Need help understanding the difference between assigning owner trust and key validity.

Sat Jun 13 14:06:36 CEST 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Steven W. Orr wrote:

> When I got your key, AND I know it came from you, then I set your key in my
> ring with owner trust of "trusted". But I didn't set the key validity. My
> understanding is that if I set your key validity then I'm signing my
> public key with your public key. (Someone please correct me if I'm way off.)

First; You cannot Sign Your Key with a Key belonging to someone else.
In order to Sign a Key Ya gotta have the Secret/Private half + the
Passphrase.  You Sign the OP's Key with Your Key.  This may done using a
'Local' signature that exists _only_ within Your Keyring or You may Sign
the Key with an 'Exportable' signature which is then visible to Others
when the OP's Key is exported & shared.

> Then for other people to see that I trust you, I would then have to re-upload
> my public key to the keyserver network. Only those people who would refresh my
> key from the servers would then see that I trust you.
> 
> Can someone please confirm that what I just said is correct?

No, the above paragraph is not correct.  For others to 'see' that You
trust the OP they would have to Import their Key with Your exportable
signature displayed on it.  Refreshing Your Key on the Servers is only
necessary when/if the OP Signs Your Key with theirs using an Exportable
Sig and You wish to display to the Universe that They trust You.

This might be a good time to 'refresh' the proper netiquette regarding
signature sharing.  The proper method is to Sign a Key with an
Exportable signature and then _return_ the signed Key directly to the
Key Owner.  The decision as to whether or not to 'share' Your trust in
them should be theirs to make.

> If this is true, then how do I know how often I need to refresh the public
> keys that I have on my keyring?

This is a personal decision.  As a General Rule I only refresh a Key
manually when I am specifically interested in that specific Key's
signatures and/or UID status or whenever I notice that it is showing
'Expired' and I wish to determine if the Key is still useful.
Refreshing, discarding & cleaning Key falls under the rubric of Keyring
Maintenance.  Like all maintenance; the frequency & intensity is
determined by the individual Keyring Owner.

HTH

JOHN ;)
Timestamp: Saturday 13 Jun 2009, 08:06  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn5042: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJKM5ZJAAoJEBCGy9eAtCsPlyIH/RdG/tplZY7xz3S3Im0HOC8F
TSay8dgxSfzWoTwBVPepbC/qu8hKcupAAgRNbAotvAY8tn60jBCHV8AJS1UMiat6
T4th0/cQmKbtmh1y0w8nv3waT7PwYh49Vw/TWWfVJD+r7d6qbNI/tQ4IJybTnZ7z
2FOv/kE3WbAb/D22oRR7XCIBhUyvsBPwFvlJZy5N9mLgb3Fbz4ApujhVO0gMTMcL
kqjmLTEWh78+N8EUQrG9C+bC4lJpZD4Zy7oRRmS0QGi5XAD2vFIEq1cCpWm908E7
Bp0H25ZhK7XV5cx2IVjVFPUyJAB0VKcFQE5MBPv2c+RQTGU1rsrb/Zgcxym/xLk=
=vSDc
-----END PGP SIGNATURE-----