Hi, I am new to using PGP in general, but fairly confident in the cryptographic primitives and the overall concepts. I have issued a master key on cold storage, and subkeys on my primary machine (one with encryption and one with signing privileges).
I wanted to send an email to a new contact (a bug report to a software project) so I added the public key and assigned it "Fully trusted" (4). Then I ran `gpg2 -esa -r <recipient address>` and gpg tells me: *It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.* Does this have to do with me not having signed the key? If I assigned it "Ultimate trust" (5) the warning disappeared. I tried signing the key: *Really sign? (y/N) y* *gpg: signing failed: No secret key* *gpg: signing failed: No secret key* It took me quite a while to figure out that I can't sign someones key with a master key. (Maybe the error message can be improved?) So.. Do I need access to my master key in order to expand my web of trust? This seems like quite a restriction. How do you handle key management? Let's say you just want to send a signed and encrypted email once to someone who announced their pubkey over https? What type of trust would you assign? Best, Didrik
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users