Local-signing without (offline) private master key

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Mon Sep 12 15:32:22 CEST 2016


On 09/12/2016 01:08 PM, Nathan Musoke wrote:
>> Now I want to import someone else's key to verify a signature. In order
>> to verify that signature, I need to at least locally sign the owner's
>> key, AFAIK. However, I would need my offline master key (read: really
>> inconvenient) to issue a signature.
> 
> I'm no expert, but as far as I know you don't need to locally sign a key to
> verify a signature. My understanding is that setting the local trust should
> be sufficient to make GnuPG happy. See
> https://www.gnupg.org/gph/en/manual/x334.html
> 
> (Someone please correct me if I'm wrong...)

This is wrong, trust and validity are distinct and separate concepts.
You use a local signature to assign an ephemeral validity, trust would
be a matter of whether you believe/trust in the other party's ability to
certify third parties (and with the exception of ultimate trust, that
you should only use on keys you control yourself already requires the
key to be validated)

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Ab esse ad posse
From being to knowing

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/195d7665/attachment.sig>


More information about the Gnupg-users mailing list