On 03/02/2013 01:48 AM, Doug Barton wrote: > On 03/01/2013 03:37 PM, Dav■ Steinn Geirsson wrote:
> | I signed a few keys recently using --edit-key and the 'trust' command, > | which did not ask me how well I had verified the users identity, but > | proceeded to generate a 'sig' signature on the keys. I've since found > | out I now need to use the --ask-cert-level option to get this prompt. > | > | As I did extensive verification of the identity of the > | keyholders (verifying government IDs), I'd like to resign these keys > | with a sig3. note that what you're trying to do here is to change the certification level, which is entirely different from changing the "owner trust" mentioned in the subject line. certification level indicates how carefully you verified identity information. this is a subjective measure, and is not actually used by gpg other than to ignore "casual" (sig1) certifications. The certification level might be used by some other OpenPGP implementations, but "generic" certification is so common that those implementations should probably have a reasonable behavior even without a specified cert-level. owner trust, on the other hand, is a private indication (usually only visible to your GnuPG implementation) of how much you are willing to rely on other OpenPGP certifications made by keyholder. These are distinct and orthogonal concepts -- please don't conflate them! > You don't want to revoke the signature, since it is still valid. You > want to use the delsig option when editing the key. or just supply the --expert option to gpg, which should permit you to make a second certification. > If the old signature was ever sent to a key server, it will remain > there, but the new one with the higher cert level will be preferred. While this is true, it's worth noting that the second certiifcation will be preferred because it is more recent than the first, not because of the higher chosen cert-level. hth, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users