On Thu 2016-03-10 19:59:24 -0500, Clint Adams wrote: > Package: gnupg > Version: 1.4.18-7 > > When doing a 'tsign' in --edit-key, gpg says > > Please enter a domain to restrict this signature, or enter for none. > > The meaning of this does not appear to be documented.
fwiw, it means "limit this trust signature to only cover certifications of User IDs with e-mail addresses that have the given domain after the @ sign" So if i tsign ad...@example.org's key X with a domain of "example.org", then gpg will only be willing to rely on certifications from X over user IDs of the form "blah blah <b...@example.org>" This is implemented with a specific, custom regex as documented here: https://tools.ietf.org/html/rfc4880#section-5.2.3.14 This is the rough equivalent of "name-constrained" X.509 CAs. --dkg
signature.asc
Description: PGP signature