basic identity mgmt

Damien Goutte-Gattat dgouttegattat at
Mon Jan 11 12:24:09 CET 2016

On 01/10/2016 11:01 PM, Full Name wrote:
> Do I have to sign it?  Is there no way to configure gpg locally to
> say "the info in this key (fingerprint) is accurate", without having
>  to sign?

If you are using the default trust model ("pgp"), no. In this model, the
validity of a key is only determined by its signatures.

If you are using GnuPG 2.1.10, you could have a look at the "tofu" or
"tofu+pgp" trust models, which allow you to do something like this:

    gpg2 --tofu-policy good 0xKEYID

to say that the specified key is fully valid.

> Is the semantics of signing with lsign or sign "the info in this key
>  is accurate"?

Yes. "Signing" (or, more accurately, "certifying") a key roughly means
"I certify that this public key belongs to the person correctly 
identified in the User ID".

> Is this separate from the "trust" thing, which is for trusting this
> key to certify others?

This is completely separate. Unfortunately, the word or verb "trust" is
sometimes used to refer to the *validity* of a key (as in the sentence 
"I *trust* that this key belongs to the person specified in the User ID").

> When I had first signed an imported key, it showed "trust: unknown".
> But when I did "trust", then "1 = I don't know or won't say", it
> showed "trust: undefined".  What is the difference between these two
> values?

"Unknown" means that no trust has yet been explicitly assigned to the
key; "undefined" means you explicitly said that you didn't know how much
to trust the key. Both values imply that any certification emitted by
this key will be ignored.

> Am I right in thinking it's the "validity" field which is affected by
> "sign"?

Yes. In the "classic" or "pgp" trust models, the validity of a key is
calculated by looking at the certifications carried by that key.

By signing the key, you add to it a certification emitted by your own
key; since your key has ultimate trust, that certification is enough to
fully validate the target key.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160111/c51ee58b/attachment.sig>

More information about the Gnupg-users mailing list