basic identity mgmt

Full Name wendyoberg at
Sun Jan 10 23:01:43 CET 2016



Someone just gave me their key fingerprint.  I want to record that
the info in the key is correct.  It's unclear to me how I do so.

I've done recv-key, and list-key, and verified the fingerprint by
hand, and confirmed the person's name and contact details.

Do I have to sign it?  Is there no way to configure gpg locally to
say "the info in this key (fingerprint) is accurate", without having
to sign?

Is the semantics of signing with lsign or sign "the info in this key
is accurate"?

Is this separate from the "trust" thing, which is for trusting this
key to certify others?  When I had first signed an imported key, it
showed "trust: unknown".  But when I did "trust", then "1 = I don't
know or won't say", it showed "trust: undefined".  What is the
difference between these two values?

Am I right in thinking it's the "validity" field which is affected by
"sign"?  Why is this not updated at all until the program is restarted?
Keeping the model of one having to save one's changes, couldn't the
program display "validity: unknown (unsaved: full)" or somesuch, thus
showing the user what change has been performed by their action?

  thanks, W.

More information about the Gnupg-users mailing list