self signed keys

Henry Hertz Hobbit hhhobbit at securemecca.net
Wed Aug 14 11:55:41 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/14/2013 07:47 AM, Axel Braun wrote:
> Hi,
> 
> one (stupid?) question:
> 
> Where is the requirement to sign your own key documented? I had a
> look into RFC 4880 but could not spot the requirement there.
> 
> Thanks for clarifying.... Axel

There is no such requirement.  Your own keys are trusted
automatically with ultimate trust when you create them.  You
can stop reading now.

It is basically a requirement for any key to be signed to be
able to use it in any meaningful way.  If it isn't signed and
given some sort of level of trust it cannot be used to verify
either a clear-sign or detached-signature.  I never thought
about attempting to encipher using PK enciphering using
somebody else's public key without signing it but look at
RFC 4880 for what it says about that.  It is just that signing
and verifying is what I do most.  No trust for a key means no
way to have meaningful verification.

You do not not need to sign your own key.  The reason why is
because when you generate your key, it has an entry for it
that is automatically added to the trustdb with ULTIMATE trust.
If it wasn't this way then you would have a chicken versus egg
problem.  You couldn't sign or lsign anybody else's key
using your private / secret key because your own key wasn't
trusted.  But if you try to sign your own key with your own
key ... you can't.  You need a key with ultimate trust to be
used to sign other keys with varying levels of trust in that
key.  So your own keys automatically have ultimate trust when
they are created.

If you cannot trust yourself to be yourself then maybe you have
MPD and need an eminent brain specialist's help.  Either that
or you need to generate your revocation and revoke your keys.
But that is more of a statement that you think somebody may have
your keys + pass-phrase than something about yourself.

HHH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJSC1QcAAoJEMhFIk/IOUbwnUUH/jYHlu6PC1CLWuZUWN7C83pu
37F7wF9fNRqoi1DVHpYN6reZ4WUI8PxpZdeTQL1UTZRT2m9eAnmYYZV4yASHBnm9
NfAebZJLuxWTs6McDcHZdN4Ruw/xiK+fdMMDpR3sTgoP5XNuHwzFWkKy16D7eAkD
RicZ4gyib69WO/2kM+3vnJOMUY1uUe1T/sWh6YGBzXjBvqrNgoTsQxGj4C/B+aC5
MGFqaH4IN3wGziodm75kfSs7iWpUCHaaR3ZZLrLIXj3oB+QRI3ykhYtyKgZtWLP+
o9lS/enpF2O+f52V0pBdXzlJLtqOcRcwzQ1pwB1KUsW3lsZEWLhefMQGrB7ToQI=
=P2lk
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list