cross-certification

Werner Koch wk at gnupg.org
Wed Sep 13 10:55:48 CEST 2006


On Sun, 27 Aug 2006 12:07, Dirk Traulsen said:

>  @item --require-cross-certification
> - at itemx --no-require-certification
> + at itemx --no-require-cross-certification

Fixed.  Also made --require-cross-certification the defualt for gpg2.

> 2. 
> When one issues the help command In the edit-key menu, there comes a list of commands. "cross-certify" is missing. I had a look at keyedit.c and the 
> non-listed commands are the short cuts and the aliases. So it doesn't seem to be a deliberate ommision. Here is a proposal for a text. (The only 

There are not that many signing subkeys out in the wild and the
"backsign" command is a helper to fix existing keys.  For new subkeys
it is not required.  The error message issued for a missing backsig
points to a web page explaining how to rectify this.  Thus there is no
advertise this command.

> other missing commands are delphoto and revphoto. Are they intentionally ommitted?)

Not sure.  David?

> gpg: Signature made 08/22/06 10:02:04 using DSA key ID 0A77A149
> gpg: WARNING: signing subkey 0A77A149 is not cross-certified
> gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> gpg: Can't check signature: general error
>
> This seems a bit too harsh for me, especially when it will be default. The signature could

We want people to update their key.  Experience shows that a warning
is not sufficiebnt.  If people don't like to update their key they may
still use --no-require-cross-certification.

> Then I wanted to export and import it on another computer.
> gpg did not import (merge) the new key, because: 
> gpg: key 12345678: already in secret keyring.
> gpg did not recognize the new cross-certification. I had to delete the old key before

You only need to import the public key.  Updating the secret key is a
long-standing problem.

Thanks,

  Werner




More information about the Gnupg-devel mailing list