On Fri, Mar 11, 2016 at 04:42:40PM -0500, Daniel Kahn Gillmor wrote: > fwiw, it means "limit this trust signature to only cover certifications > of User IDs with e-mail addresses that have the given domain after the @ > sign" > > So if i tsign ad...@example.org's key X with a domain of "example.org", > then gpg will only be willing to rely on certifications from X over user > IDs of the form "blah blah <b...@example.org>" > > This is implemented with a specific, custom regex as documented here: > > https://tools.ietf.org/html/rfc4880#section-5.2.3.14 > > This is the rough equivalent of "name-constrained" X.509 CAs.
So is it accurate to say that if I fetch a key with a uid of the form "Ben Wizner <pugnaci...@aclu.org>" with a valid signature from you, and I tsign all your uids with full trust and depth 1, I should see "full" validity on that key whether I have specified the domain as "aclu.org" or left it blank?