basic identity mgmt

Peter Lebbing peter at
Mon Jan 11 12:19:14 CET 2016


> Do I have to sign it?  Is there no way to configure gpg locally to
> say "the info in this key (fingerprint) is accurate", without having
> to sign?

You have to sign it; that's how it works :).

> Is the semantics of signing with lsign or sign "the info in this key
> is accurate"?

Yes. "The info" is contained in a UID, and you separately sign any UID's
you've verified. A signature done with lsign will not be exported to
others (unless you force GnuPG to do so), so you use it if you want the
fact that you verified it to only be known to yourself. A regular "sign"
command marks it exportable.

> Is this separate from the "trust" thing, which is for trusting this
> key to certify others?

Yes, exactly. I can see you've read documentation! People always get
confused by ownertrust and validity; you've got it right in one go.
Since "trust" is such a broad concept, I always try to refer to it as
"ownertrust", to narrow it down to the specifics.

>  When I had first signed an imported key, it
> showed "trust: unknown".  But when I did "trust", then "1 = I don't
> know or won't say", it showed "trust: undefined".  What is the
> difference between these two values?

It makes no difference with regard to validity calculations. It's just
for your own information. The former would imply you still need to
assess the trust, where the latter means you assessed it and still don't
know, or won't say. There's a command to set the trust for all keys for
which it hasn't been set yet; this command would skip "undefined" but
ask you about "unknown".

> Am I right in thinking it's the "validity" field which is affected by
> "sign"?


> Why is this not updated at all until the program is restarted?

My guess is that it's because it's quite an intensive calculation, and
you don't want to have that slowing down your interaction with the
program in this run.

Any change of trust or validity requires re-calculating all validity
values for keys, since a newly valid, trusted key may in turn make other
keys valid, which in turn... Obviously, it would be possible to
recalculate only the affected part, but that's not how it's implemented:
it will recalculate everything.

> Keeping the model of one having to save one's changes, couldn't the
> program display "validity: unknown (unsaved: full)" or somesuch, thus
> showing the user what change has been performed by their action?

It would technically be possible. But I don't think it would be high on
a TODO list :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list