From: John Dlugosz
Thanks, Hal.
Is Trent's signature on the key itself or on a UserID?
It seems that either has semantic implications, but what do existing
general-purpose tools do? I like the latter for my application.
Normally it is on a userid. It is binding the given name to the key,
that is, the signature is asserting its belief that the name belongs
to the key and vice versa.
What's the relationship between the "Trust signature" key subpacket, and
using key types 0x11-0x13?
The trust signature subpacket is used for the signer to publicly declare
that he trusts the key being signed as a signing key. Normally a
signature just means that the signer is asserting that the name belongs
with the key, and that's what the signature types 0x11-0x13 are for.
Trust signatures are used to enable what we call "meta introducers"
which are signers who are empowered to declare that other keys have
key-signing authority. For example, in a corporate application the chief
security officer may be declared to be a meta-introducer by the employees,
and he can then delegate signing authority to departmental officers.
It's a somewhat complicated concept and not usually very useful outside
of relatively closed systems.
Hal