Multiple email addresses - any alternative to ask everyone to sign all my keys?
einarr at pvv.org
Wed Jul 24 18:09:13 CEST 2013
On Wed, Jul 24, 2013 at 10:13:52AM -0400, Daniel Kahn Gillmor wrote:
> My reluctance to rely on a certifications from a user with several keys
> is due to GnuPG's trust model; I rarely (if ever) assign full ownertrust
> to other people's keys. I usually mark other people's keys with
> marginal ownertrust if i think their certifications are reasonable.
> GnuPG will then consider a key+userid combination as "valid" if three
> marginally-trusted keys have certified it. If you control three keys,
> and i mark them all as marginally-trusted, then i've effectively granted
> you full ownertrust.
> Have you thought about how you plan to certify other people's keys and
> user IDs while operating with three separate keys?
My impression is that most people using more than one key do sign all keys with
all of their own keys. Otherwise some keys will be weaker in the web of trust,
putting some obstacles in the way of their usefulness.
I've got one key I made a decade ago that is about to be revoked because my new
key is now well-enough connected for most of my purposes. While using two keys
I've had the habbit of signing other people's keys with both of them.
However, this means that you don't lose any power in validating other keys if
you only put ownertrust on any one of my keys as they are more or less
equivalent, at least for the time period where they have all been in use.
Personally I prefer using people's personal (as opposed to business) keys for
this, though admittedly mostly by accident because I hadn't thought about the
case you just raised. My reasoning for this is that 1) it is primarily the
_person_ I trust, not e.g. his employer, and 2) a personal key is more likely
to have a long life as people generally seem to change jobs more often than PGP
More information about the Gnupg-users