fingerprint of key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Aug 18 05:19:58 CEST 2017 

On Thu 2017-08-17 22:39:21 -0300, Duane Whitty wrote:
> Sounds like a good approach but for someone who has more public keys
> stored than me.  I only exchange encrypted email with a very, very
> small group of people and I am in regular voice communication with
> them.

If you're going to manage a keyring manually, this is the right way to
do it, regardless of how many OpenPGP certificates you have in your
keyring.  (it's actually easier to do when you only have a few)

> I guess using that approach I could import public keys from users on
> this list and then assign them various levels of trust, right down to
> no trust and not locally signed at all.

Note that nothing i outlined in my earlier suggestions involved you
setting "trust levels" (a.k.a. "ownertrust") at all.

setting "full trust" on a key means "i'm willing to accept identity
assertions made by the owner of this key" -- it's equivalent to "adding
a root CA to your browser" in some sense.

You can use GnuPG for years without ever setting any sort of ownertrust
on any key but your own (and if you generated your key in gpg, it
probably already has ultimate ownertrust).

Start with "whose keys do i believe i've checked?" -- that's plain
keysigning.

then, only later, if you really want to get into the whole web-of-trust
thing, should you consider setting ownertrust.

> I suppose I chose to use apt or apt-get because it seems like a more
> convenient way to update things as opposed to getting it straight from
> Oracle.

well said :)

> What I mean is that I have 2 email addresses which each have a
> different private key.  The key for duane at nofroth.com has is
> associated with private counterpart to the key you fetched.  I have
> another email address with a different private key associated to it.

i see, so you're talking about signing with a different key (not a
different uid).  You might want to look into adding the --default-key or
--local-user options before you do your next --edit-key operation.

All the best,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170817/f221aebd/attachment.sig>

More information about the Gnupg-users mailing list