AW: How does trust work?
Rich Bodo
rsb@ostel.com
Fri, 25 Aug 2000 05:16:41 -0700 (PDT)
>
> If you *really* did all the things you described, and Jim signed his
> communication keys with his auth key, then the comm keys should get
> accepted, I think. Have you tried gpg --check-sigs on both keys?
> Does gpg --edit-key <auth-key> list the trust as "f/f"?
>
Thanks for the reply. I really did all the things I said (sign, add,
trust, update. add, update, etc.). I think the path of trust should
be complete as well, although I think my logic in my last e-mail was
flawed. I assumed that who owns a key matters, and now I think it doesn't.
All that matters is that there is a "path of signatures" leading back
to my key. I think the path of signatures here is complete, but gpg
claims there is not enough info to evaluate trust of my friend's comm-key.
This is what --check-sigs and --edit-key reveal. ID1 is his auth-key,
ID2 is his comm-key, ID3 is his comm-sub-key, and ID4 is my key ID.
The ID's 0, -1 and -2 are older keys used by the same individual.
gpg --check-sigs Jim@Jim.com
pub 1024D/ID0 1999-09-05 Jim Smith <Jim@Jim.com>
sig! ID-1 1999-09-05 Jim Smith <Jim@Jim.com>
sub 2048g/ID-2 1999-09-05
sig! ID-1 1999-09-05 Jim Smith <Jim@Jim.com>
pub 1024D/ID2 2000-08-10 Jim Smith <Jim@Jim.com>
sig! ID2 2000-08-10 Jim Smith <Jim@Jim.com>
sig! ID1 2000-08-11 Jim Smith <Jim@Jim.com>
sub 4096g/ID3 2000-08-10 [expires: 2001-02-06]
sig! ID2 2000-08-10 Jim Smith <Jim@Jim.com>
pub 1024D/ID1 2000-02-13 Jim Smith <Jim@Jim.com>
sig! ID1 2000-02-13 Jim Smith <Jim@Jim.com>
sig! ID4 2000-08-19 Rich Bodo <rsb@ostel.com>
gpg --edit-key ID1
pub 1024D/ID1 created: 2000-02-13 expires: never trust: f/f
(1) Jim Smith <Jim@Jim.com>
gpg --edit-key ID2
pub 1024D/ID2 created: 2000-08-10 expires: 2001-02-06 trust: -/q
sub 4096g/ID3 created: 2000-08-10 expires: 2001-02-06
(1) Jim Smith <Jim@Jim.com>
gpg --edit-key ID4
Secret key is available.
pub 1024D/ID4 created: 1999-10-26 expires: never trust: -/u
sub 1024g/ID5 created: 1999-10-26 expires: never
(1) Rich Bodo <rsb@ostel.com>
The two things that look suspicious here are that I have an old key of
his, and my own keys have no ownertrust assigned. I don't think the
old key should matter whatsoever. That my own key has no ownertrust
assigned is a surprise. O.K. I guess having the secret key in my
secret keyring doesn't mean that I trust the owner. I'm sure there is a
good reason for that, I just can't fathom it right now. Let's see
what happens when I mark my own public key as full/ultimate
trust...NOPE :(. GPG still tells me there is no path when I try to encrypt.
Here is the command I use:
gpg -o gpgfile -se -r ID2 clearfile
And here is the error I get:
No path leading to one of our keys found.
4096g/ID3 2000-08-10 "Jim Smith <Jim@Jim.com>"
Fingerprint: blah blah blah
It is NOT certain that the key belongs to its owner.
If you *really* know what you are doing, you may answer
the next question with yes
So I answer no. Well, some new info, if no new solution. If anyone
sees an obvious mistake, please let me know.
-Rich
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org