On Tue 2015-09-15 06:39:34 -0400, Mike Acker wrote: > be sure you are not confusing validity (signed ) with trust ( setting )
To clarify what Mike says here: the validity of a key for a given user ID answers the question "does this key belong to the person identified by the User ID?" trust (aka "ownertrust") answers the question "am i willing to rely on the person who holds this key to identify other people's keys?" For example, your own key by default has "ultimate" ownertrust, because GnuPG is willing to rely on any certifications made by your own key. So if you have a certificate for "Alice Smith <[email protected]>" that you believe really does belong to the Alice Smith you know with that e-mail address, do *not* set ownertrust on an OpenPGP key just because you want to make GnuPG recognize that the key is valid for that e-mail address. Instead, you should certify the User ID of the OpenPGP cert with your own (ultimately-trusted) key: gpg --sign-key ="Alice Smith <[email protected]>" If you don't want other people to see your certification (e.g., if you've decided it's good enough for your personal use but you don't want others to rely on it), use --lsign-key instead of --sign-key to make a "local" (aka "non-exportable") certification. After this certification, GnuPG will know that the certificate is valid, but you won't have accidentally given Alice the ability to certify *other* keys. hth, --dkg _______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
