Expanding web-of-trust with subkey

Didrik Nordström didrik.nordstrom at gmail.com
Wed Feb 15 04:02:08 CET 2017

Hi, I am new to using PGP in general, but fairly confident in the
cryptographic primitives and the overall concepts. I have issued a master
key on cold storage, and subkeys on my primary machine (one with encryption
and one with signing privileges).

I wanted to send an email to a new contact (a bug report to a software
project) so I added the public key and assigned it "Fully trusted" (4).

Then I ran `gpg2 -esa -r <recipient address>` and gpg tells me:
*It is NOT certain that the key belongs to the person named in the user
ID.  If you *really* know what you are doing, you may answer the next
question with yes.*

Does this have to do with me not having signed the key? If I assigned it
"Ultimate trust" (5) the warning disappeared.

I tried signing the key:
*Really sign? (y/N) y*
*gpg: signing failed: No secret key*
*gpg: signing failed: No secret key*

It took me quite a while to figure out that I can't sign someones key with
a master key. (Maybe the error message can be improved?)

So.. Do I need access to my master key in order to expand my web of trust?
This seems like quite a restriction.

How do you handle key management? Let's say you just want to send a signed
and encrypted email once to someone who announced their pubkey over https?
What type of trust would you assign?

Best, Didrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170214/cc7cbcf9/attachment.html>

More information about the Gnupg-users mailing list