On Tue, Sep 02 2014, Matthias Urlichs wrote:
> there's a GPG option (via the the *-cert-level options, see 'man gpg')
> to state how carefully you did verify their identity, but ultimately
> it's up to you.
That is not how I interpreted that option to mean.
,----[ http://tools.ietf.org/html/rfc4880#section-5.2.3.13 ]
| 5.2.3.13. Trust Signature
|
|
| (1 octet "level" (depth), 1 octet of trust amount)
|
| Signer asserts that the key is not only valid but also trustworthy at
| the specified level. Level 0 has the same meaning as an ordinary
| validity signature. Level 1 means that the signed key is asserted to
| be a valid trusted introducer, with the 2nd octet of the body
| specifying the degree of trust. Level 2 means that the signed key is
| asserted to be trusted to issue level 1 trust signatures, i.e., that
| it is a "meta introducer". Generally, a level n trust signature
| asserts that a key is trusted to issue level n-1 trust signatures.
| The trust amount is in a range from 0-255, interpreted such that
| values less than 120 indicate partial trust and values of 120 or
| greater indicate complete trust. Implementations SHOULD emit values
| of 60 for partial trust and 120 for complete trust.
`----
For a personal (non-work) GPG key, I am not sure I ever want to
sign above a level 0, and thus give the key a "right" to sign on my
behalf. Also, it indicates a statement of belief in someone's ability
to make proper certifications (and avoid improper ones), in addition to
a statement of belief that the identity of the keyholder is correctly
stated. I have no idea how to assess the former, except for the few
people I have had a technical conversation with about their key signing
policies, and even then, there are few people whose beliefs and
conventions align closely to mine.
Here is some more detail from the mailing lists:
,----[ http://lists.gnupg.org/pipermail/gnupg-users/2005-May/025612.html ]
| tsign is just like sign (or lsign) except that you are asked a few
| more questions by GnuPG. Think of tsign as a combination of a regular
| signature plus the ownertrust. This combines two different things
| from the classic trust model into one signature.
|
| First you are asked:
|
| Please decide how far you trust this user to correctly verify other
| users' keys (by looking at passports, checking fingerprints from
| different sources, etc.)
|
| 1 = I trust marginally
| 2 = I trust fully
|
| This is similar to the question you get asked when setting ownertrust.
| What GnuPG is asking is not how much you trust the user, but how much
| you trust the user to make good signatures.
| The next question is:
|
| Please enter the depth of this trust signature.
| A depth greater than 1 allows the key you are signing to make
| trust signatures on your behalf.
|
| The signature depth is how many levels "deep" can the power granted by
| this signature travel. For example, a level of 1 means that the key
| you sign is valid for you (just like a regular signature), but also
| that the ownertrust for this key is automatically set to MARGINAL or
| FULL (depending on how you answered the first question). A level of 2
| means that the key you sign is valid for you, and the ownertrust is
| automatically set, AND (assuming the trust made it to FULL) that this
| key can issue signatures up to level 1 on your behalf. A level of 3
| means all that, plus the key can issue signatures up to level 2, etc.
|
| You can think of a regular signature as a trust signature with a depth
| of 0.
|
| The next question:
|
| Please enter a domain to restrict this signature, or enter for none.
|
| This allows you to restrict (by domain name) the power of the
| signature. For example, let's say that you wanted to make a level 2
| signature on a CA key for a particular company. You should be careful
| with making any level above 1, so you want to restrict this to that
| company. By giving a restriction of companyname.com here, only
| signatures issued by the CA key on keys in companyname.com will take
| effect.
`----
manoj
--
Have at you!
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C
Attachment:
signature.asc
Description: PGP signature