John A. Wallace jw72253 at verizon.net
Thu Dec 29 03:45:08 CET 2011

> ------------------------------
> Message: 5
> Date: Wed, 28 Dec 2011 03:25:33 +0100
> From: Jerome Baum <jerome at jeromebaum.com>
> To: gnupg-users at gnupg.org
> Subject: Re: --trusted-key
> Message-ID: <4EFA7E1D.8080003 at jeromebaum.com>
> Content-Type: text/plain; charset="utf-8"
> On 2011-12-28 03:08, John A. Wallace wrote:
> > --trusted-key long key ID
> >
> > Assume that the specified key (which must be given as a full 8 byte
> key ID)
> > is as trustworthy as one of your own secret keys. This option is
> useful if
> > you don't want to keep your secret keys (or one of them) online but
> still
> > want to be able to check the validity of a given recipient's or
> signator's
> > key.
> > I read this definition online, but I can't seem to get a grasp on
> what it is
> > used for.  As it sounds as though it may have use for something I
> want to
> > do, I was hoping someone could elaborate a bit on this.  It may be
> clear as
> > glass to most of you, but I am not seeing it (sorry).  Thanks.
> You can't set ultimate trust on a public key unless you have the
> corresponding private key. So this is a way of telling gnupg not to
> require that, e.g. if you have the key on another computer and gnupg
> can't know that.
> For instance, I keep two key: 0x215236DA and 0xC58C753A. But only
> 0xC58C753A is on my machine, 0x215236DA is stored somewhere safe, so I
> don't want it on here. But I still want to ultimately trust 0x215236DA
> because, well, it's my key. So my gpg.conf says "trusted-key 215236DA".
I have a couple of questions about this idea.  First, why would you not have
assigned ultimate trust to the public key ID 0x215236DA when you created it
and had your secret key available to do so?  I mean, why the delay; what
value to you is your key without having it so trusted? (What point about
trust am I not factoring in here?) Secondly, you said, " So my gpg.conf says
'trusted-key 215236DA'." Where you shortening it for sake of brevity, as
that is not an 8 byte long key ID?  Finally, (and this part may very well
relate to my lack of fully understanding the trust procedures) would I be
specifying and ID in "--trusted-key long key ID" for a key that is one of
mine? If so, why would I need one of "my" keys, as the definition states, in
order "...to check the validity of a given recipient's or signator's key"?
I know I must be missing some critical point ----> woosh!  Thanks.


More information about the Gnupg-users mailing list