self signed keys

[Hauke Laging]

Am Mi 14.08.2013, 09:55:41 schrieb Henry Hertz Hobbit:

> There is no such requirement.  Your own keys are trusted
> automatically with ultimate trust when you create them.  You
> can stop reading now.

This sounds like the usual mix-up of (certification) trust and validity.


> You do not not need to sign your own key.  The reason why is
> because when you generate your key, it has an entry for it
> that is automatically added to the trustdb with ULTIMATE trust.

I just checked that. Surprisingly gpg shows non-selfsigned UIDs of ultimately 
trusted keys as valid. Doesn't make sense IMHO (as trust refers to the mainkey 
itself and not to the UIDs) but this is a very special case thus I am not sure 
whether this behaviour is intentional or rather coincidental.

But: What is the argument for not self-signing a key?


> If it wasn't this way then you would have a chicken versus egg
> problem.  You couldn't sign or lsign anybody else's key
> using your private / secret key because your own key wasn't
> trusted.

You could. You just wouldn't make them valid by it. :-)  (unless they are 
valid by other means and have marginal or complete trust).


> If you cannot trust yourself to be yourself then maybe you have
> MPD and need an eminent brain specialist's help.

One more mix-up of validity (=to "be" someone) and trust (assumes quality of 
certifications). You may create an unsecure test key (quite probably that you 
already have). There is absolutely no reason to assign positive certification 
trust to an insecure key, no matter how sure you are about the identity of the 
creator.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130814/d4e536a1/attachment-0001.sig>