> For the complete documentation index, see [llms.txt](https://docs.revault.onepub.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.revault.onepub.dev/rust/lockbox_cli/pgp_lockbox_key_claims.md). # PGP-Signed Lockbox Key Claims ## Purpose A PGP-signed Lockbox key claim lets a user bind an existing OpenPGP identity to a Lockbox public key. This can remove the need for person-to-person verification of the Lockbox key when the recipient already trusts the signer's PGP identity. ## Trust Model PGP signing shifts the trust decision. It does not remove it. Without PGP: ``` Verify Alice's Lockbox public key directly. ``` With PGP: ``` Verify Alice's PGP key, then trust the Lockbox key it signs. ``` This is useful when one of these is true: * Bob already trusts Alice's PGP fingerprint. * Alice's PGP key is published through a company WKD and Bob trusts that domain. * Alice's PGP key is signed by a trusted organization or introducer. * Enterprise policy says keys from a specific domain directory are authoritative. If Bob does not already trust Alice's PGP key, the signature only proves that the Lockbox key was signed by the fetched PGP key. It does not prove that the PGP key belongs to Alice. ## Proposed CLI Alice creates a signed claim: ```bash lockbox contact claim alice@example.com --lockbox-key alice.pub --sign-with-pgp ``` The claim contains: ``` identity: alice@example.com lockbox_public_key: ... lockbox_fingerprint: ... pgp_fingerprint: ... created_at: ... signature: ... ``` Bob imports the claim: ```bash lockbox contact add alice@example.com --method pgp-signed ``` Lockbox should: 1. Fetch Alice's PGP public key from WKD, a configured keyserver, or a supplied local key file. 2. Verify the signed Lockbox-key claim. 3. Check whether the PGP key is trusted by local policy or prior verification. 4. Store Alice's Lockbox public key with an appropriate trust state. ## Trust States If the PGP key is trusted: ``` trust: pgp-validated ``` If the PGP key is not trusted: ``` trust: unverified reason: lockbox key is signed, but the signing PGP identity is not trusted ``` In the untrusted case, Lockbox should still require an explicit verification step before using the key without warnings. ## Key Point A PGP-signed claim can avoid manual verification of the Lockbox key only when the PGP identity is already trusted through another mechanism. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.revault.onepub.dev/rust/lockbox_cli/pgp_lockbox_key_claims.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.