Re-signing keys with higher owner trust

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Mar 4 00:05:03 CET 2013


On 03/02/2013 01:48 AM, Doug Barton wrote:
> On 03/01/2013 03:37 PM, Dav■￰ Steinn Geirsson wrote:

> | I signed a few keys recently using --edit-key and the 'trust' command,
> | which did not ask me how well I had verified the users identity, but
> | proceeded to generate a 'sig' signature on the keys. I've since found
> | out I now need to use the --ask-cert-level option to get this prompt.
> |
> | As I did extensive verification of the identity of the
> | keyholders (verifying government IDs), I'd like to resign these keys
> | with a sig3.

note that what you're trying to do here is to change the certification
level, which is entirely different from changing the "owner trust"
mentioned in the subject line.

certification level indicates how carefully you verified identity
information.  this is a subjective measure, and is not actually used by
gpg other than to ignore "casual" (sig1) certifications. The
certification level might be used by some other OpenPGP implementations,
but "generic" certification is so common that those implementations
should probably have a reasonable behavior even without a specified
cert-level.

owner trust, on the other hand, is a private indication (usually only
visible to your GnuPG implementation) of how much you are willing to
rely on other OpenPGP certifications made by keyholder.

These are distinct and orthogonal concepts -- please don't conflate them!

> You don't want to revoke the signature, since it is still valid. You
> want to use the delsig option when editing the key.

or just supply the --expert option to gpg, which should permit you to
make a second certification.

> If the old signature was ever sent to a key server, it will remain
> there, but the new one with the higher cert level will be preferred.

While this is true, it's worth noting that the second certiifcation will
be preferred because it is more recent than the first, not because of
the higher chosen cert-level.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130303/db54aaf5/attachment.pgp>


More information about the Gnupg-users mailing list