basic identity mgmt
dgouttegattat at incenp.org
Mon Jan 11 12:24:09 CET 2016
On 01/10/2016 11:01 PM, Full Name wrote:
> Do I have to sign it? Is there no way to configure gpg locally to
> say "the info in this key (fingerprint) is accurate", without having
> to sign?
If you are using the default trust model ("pgp"), no. In this model, the
validity of a key is only determined by its signatures.
If you are using GnuPG 2.1.10, you could have a look at the "tofu" or
"tofu+pgp" trust models, which allow you to do something like this:
gpg2 --tofu-policy good 0xKEYID
to say that the specified key is fully valid.
> Is the semantics of signing with lsign or sign "the info in this key
> is accurate"?
Yes. "Signing" (or, more accurately, "certifying") a key roughly means
"I certify that this public key belongs to the person correctly
identified in the User ID".
> Is this separate from the "trust" thing, which is for trusting this
> key to certify others?
This is completely separate. Unfortunately, the word or verb "trust" is
sometimes used to refer to the *validity* of a key (as in the sentence
"I *trust* that this key belongs to the person specified in the User ID").
> When I had first signed an imported key, it showed "trust: unknown".
> But when I did "trust", then "1 = I don't know or won't say", it
> showed "trust: undefined". What is the difference between these two
"Unknown" means that no trust has yet been explicitly assigned to the
key; "undefined" means you explicitly said that you didn't know how much
to trust the key. Both values imply that any certification emitted by
this key will be ignored.
> Am I right in thinking it's the "validity" field which is affected by
Yes. In the "classic" or "pgp" trust models, the validity of a key is
calculated by looking at the certifications carried by that key.
By signing the key, you add to it a certification emitted by your own
key; since your key has ultimate trust, that certification is enough to
fully validate the target key.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users