[pkg-gnupg-maint] Bug#817858: Bug#817858: gnupg: tsign domain not documented
Clint Adams
clint at debian.org
Fri Mar 11 22:35:17 UTC 2016
On Fri, Mar 11, 2016 at 04:42:40PM -0500, Daniel Kahn Gillmor wrote:
> fwiw, it means "limit this trust signature to only cover certifications
> of User IDs with e-mail addresses that have the given domain after the @
> sign"
>
> So if i tsign admin at example.org's key X with a domain of "example.org",
> then gpg will only be willing to rely on certifications from X over user
> IDs of the form "blah blah <blah at example.org>"
>
> This is implemented with a specific, custom regex as documented here:
>
> https://tools.ietf.org/html/rfc4880#section-5.2.3.14
>
> This is the rough equivalent of "name-constrained" X.509 CAs.
So is it accurate to say that if I fetch a key with a uid of the form
"Ben Wizner <pugnacious at aclu.org>" with a valid signature from you,
and I tsign all your uids with full trust and depth 1, I should see
"full" validity on that key whether I have specified the domain as
"aclu.org" or left it blank?
More information about the pkg-gnupg-maint
mailing list