[pkg-gnupg-maint] Bug#933791: gnupg: please document the consequences of not accepting third-party certifications from keyservers
Georg Faerber
georg at debian.org
Mon Aug 5 00:56:46 BST 2019
Hi,
Just a short note on the following:
On 19-08-03 16:13:04, Francesco Poli (wintermute) wrote:
> Moreover, the usual recommendation after an identity and key
> fingerprint verification (at a key signing party or otherwise), is to
> sign Bob's key and then send the signed key to the Bob's e-mail
> address, in an encrypted message: Bob will send the signature to the
> keyserver network, only if he is in control of the secret key and if
> he actually wants the new signature to be disclosed to the public.
> This is the default procedure implemented in caff, isn't it?
FWIW, caff provides an option which might help with this, in case the
above does relate to the question "how does one keep track of which
signatures were made, given the current situation with keyservers and
distribution of signatures":
also-lsign-in-gnupghome [auto|ask|no]
Whether to locally sign the UIDs in the user's GnuPGHOME, in
addition to caff's signatures in its own GnuPGHOME. Such signatures
are not exportable. This can be useful when the recipient forgets to
upload the signatures caff sent (or if they are non-exportable as
well), as it gives a way to keep track of which UIDs were verified.
However, note that local signatures will not be deleted once the
recipient does the upload and the signer refreshes her keyring.
[...]
(Sorry for the noise in case I'm off track.)
Cheers,
georg
More information about the pkg-gnupg-maint
mailing list