ownertrust level of imported secret keys

Hauke Laging mailinglisten at hauke-laging.de
Fri Nov 9 19:33:10 CET 2012


I noticed a behaviour which could be improved. If a key is generated then its 
ownertrust is set to ultimate. But if a secret key is imported the ownertrust 
keeps unchanged.

I guess that the idea behind this may be that you can be sure that noone else 
can create a signature by a key you have generated but that the import of a 
secret key can mean that someone else has shared his secret key with you which 
does not make signatures of that key more trustworthy.

As I think that people should be advised to use offline mainkeys so they 
should not be bothered with unnecessary problems arising from that. Thus I 
suggest to output a warning / hint if a secret key is imported. Something 

"You have imported a secret key. It may be useful (probably if you are the 
only owner of this secret key) to set the trust level of this key to ultimate 
(see --edit key trust)."

Or even ask and do it.

PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121109/ef10b343/attachment.pgp>

More information about the Gnupg-users mailing list