I would like to use some PGP keys within my small company and everybody is allowed to use every private PGP key.
After importing a public PGP key in Kleopatra, the key has the status “not signed”. So it is neccessary to sign/certify the public key. It seems to be enough to sign the key with only ONE of the private keys, but I am not sure.
Has the imported public key to be signed with ALL of the private keys in order to be used from ALL private PGP-accounts?
This is where “Ownertrust” comes in.
It is enough to sign a key with another key that has “Ultimate” Ownertrust. Through Ultimate Owenertrust you mark for the system that a key is “your own key”. And then signatures made by this key on other keys automatically change them to “certified”.
You are asked when importing a secret key into Kleopatra if this is your Own key, which sets the value. Alternatively you can right click a key in Kleopatra to change Ownertrust.
I’ve just had a discussion with the main GnuPG developer about how key management could be easier for Administrators and he pointed out that there is the option “trusted-key ” which you could put in your gpg.conf
From the manual:
–trusted-key long key ID
Assume that the specified key (which must be given as a full 8 byte key ID) is
as trustworthy as one of your own secret keys. This option is useful if you don’t
want to keep your secret keys (or one of them) online but still want to be able to
check the validity of a given recipient’s or signator’s key.
So in theory you could have a ZiggZiggen secret key that signs other keys and all other users only have the ZiggZiggen public key, but as they have “trusted-key ” in their gpg.conf they would fully trust any signatures you made.
very interesting! Many thanks!!!