Why is ~/.gnupg/trustdb.gpg readable by all?

Bud Rogers budr@sirinet.net
Thu Feb 8 01:19:02 2001 

On Wednesday 07 February 2001 14:28, George Sinclair wrote:


> Bear with me a moment while I ramble away with some prefatory

> rhetoric.

>

> When a key is created, a trust value pair is associated with

> the key. The first is the assigned owner trust, and the second is the

> calculated trust value. This is always '-/u' ('-' = No owner-trust

> assigned or not yet calculated, 'u'=Ultimately trusted).


Hello George,

Thanks for that thoughtful explanation.  I am brand new to the list, so 
forgive me if I'm about to ask a FAQ, but you've touched on a question 
that I am struggling with.  How does a newcomer jumpstart their 
connection to the web of trust?

I've been a regular on various mailing lists and newsgroups for years.  
I have a lot of friends on line but most of them I have never met face 
to face and probably never will.  I've known about PGP for years and 
GnuPG for a while but have not actually had much of a need for them 
until quite recently.  

So I'm a new kid on the block.  I've got a couple of key sets for home 
and work.   I've signed my own keys, but they haven't been signed by 
anyone else.  Likewise, I've imported a bunch of other peoples' keys.  
Some of them have been signed by lots of other people, but I haven't 
signed any of them except the two or three that I have met face to 
face, exchanged proper identification and all that.  I don't go to a 
lot of cons or whatever, so I don't have many opportunities to go to 
key signings.

Occasionally I get a signed email from someone and gpg reports it as a 
bad signature.  Further investigation reveals the sig is good but there 
is no valid trust path to the signature.  I embarrassed myself pretty 
good before I figured out what that really meant.

I want to sign other peoples' keys, and get them to sign mine, in order 
to become part of the web of trust all the docs talk about.  As you've 
said, I have to sign a key before it is considered fully trusted.  But 
all the docs say don't sign any key unless you have gone to some 
extraordinary lengths to verify that person's identity.  How do I 
resolve that contradiction?

-- 
Bud Rogers <budr@sirinet.net>   http://www.sirinet.net/~budr/zamm.html
    All things in moderation.  And not too much moderation either.
	Finger budr@sirinet.net for gpg fingerprints.