Local-signing without (offline) private master key

Damien Goutte-Gattat dgouttegattat at incenp.org
Mon Sep 12 14:16:46 CEST 2016

On 09/12/2016 11:04 AM, André Colomb wrote:
> Maybe the upcoming TOFU trust model would help my usage pattern?

I think so. Marking the binding between your correspondent's key and its 
email address with a "good" TOFU policy (something that does not require 
your private primary key) would be equivalent to locally signing the 
key: it's a private statement (only available to yourself) that you 
regard that key as valid, i.e. as belonging to the User ID it carries.

This does not prevent you from continuing to use the Web-of-Trust if 
you're so inclined, as the "tofu+pgp" model allows you to use both TOFU 
assertions and WoT certifications to validate a key.

If you're already using GnuPG >= 2.1.10 (with support for the TOFU 
model), I would argue this is your best option.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/3ce382ca/attachment.sig>

More information about the Gnupg-users mailing list