Sign key and export for each UID
atair
atair04 at googlemail.com
Tue Sep 17 08:23:35 CEST 2013
On 9/16/13, Doug Barton <dougb at dougbarton.us> wrote:
> The way that your signer did it is _a_ standard way to do it. CAFF is a
> very popular program for that, and there is another here that is also
> pretty good: http://www.phildev.net/pius/news.shtml
Is there a way to achieve the same signatures from gpg command line?
For example
$ gpg -a --export <uid>
exports the complete key and not just the signature. However, I
understand the gpg-man pages in a way that it's possible to do a
$ gpg -u <my_keyid> --edit-key <other's_keyid>
> sign <other's_first_uid>
> sign <other's_second_uid>
> ...
> q
Is that true?
How could I export the created signature for each step? (sth like an
"-a --export <file>" but from interactive mode seems not to be
present...)
BTW: I'm on GNU/Linux for some years now and I'd never use Windows again ;)
So personally, I don't care whether these tools exist for Windows or not...
> I have another philosophy that works for me because I prefer not to sign
> uids that are not valid. I send encrypted e-mail to each uid with a
> pseudo-random string and ask the person to send me back the string in a
> signed message. That allows me to determine if the person has control of
> all 3 elements of the uid; the e-mail address, private, and public keys.
> As a pleasant side effect it also gives me a chance to judge their
> competence with PGP, which allows me to assign a better trust value to
> folks I did not previously know.
seems reasonable, although there's an overhead for this
3-way-handshake (but usually you don't sign keys on a daily basis, so
that doesn't really matter :)
> I have the script to do this here:
> https://dougbarton.us/PGP/gen_challenges.html
Probably I just overlooked it, but I could not find where the per-uid
signatures are created/exported.
-- atair
More information about the Gnupg-users
mailing list