--trusted-key

Jerome Baum jerome at jeromebaum.com
Thu Dec 29 04:04:15 CET 2011


On 2011-12-29 03:45, John A. Wallace wrote:
> I have a couple of questions about this idea.  First, why would you not have
> assigned ultimate trust to the public key ID 0x215236DA when you created it
> and had your secret key available to do so?  I mean, why the delay; what
> value to you is your key without having it so trusted? (What point about
> trust am I not factoring in here?)

I created the key on another computer, so the secret key was never on
this machine in the first place.

> Secondly, you said, " So my gpg.conf says
> 'trusted-key 215236DA'." Where you shortening it for sake of brevity, as
> that is not an 8 byte long key ID?

Yeah, another 8 characters would have made the line wrap around. :)

> Finally, (and this part may very well
> relate to my lack of fully understanding the trust procedures) would I be
> specifying and ID in "--trusted-key long key ID" for a key that is one of
> mine? If so, why would I need one of "my" keys, as the definition states, in
> order "...to check the validity of a given recipient's or signator's key"?
> I know I must be missing some critical point ----> woosh!  Thanks.

Yes, just like in my example, you would usually specify the ID of one of
your own keys.

So say I've certified your key with my 215236DA. That key is not on this
machine, but I'd like my gnupg to consider your email signatures valid.
What I'm telling gnupg is that 215236DA is my own key, so any other key
that is certified by 215236DA must be valid (presumably because I
personally checked this before certifying).

trusted-key is really there for the above scenario -- it is my key, but
it isn't on this computer, so gnupg can't know unless I tell it. There's
basically not much more to it.*

* Now, that's a meaningful sentence right there. "Ignoring anything else
there is to it, there's not much more to it."


-- 
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
nameserver 217.79.186.148
nameserver 178.63.26.172
http://opennicproject.org/
--
No situation is so dire that panic cannot make it worse.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111229/34debc17/attachment.pgp>


More information about the Gnupg-users mailing list