tracing the Web of Trust?

Charles Mauch cmauch at
Fri Aug 12 09:54:03 CEST 2005

Quoting "Michael W. Lucas" <mwlucas at>:
> I'm trying to learn if there's a tool to trace the web of trust 
> between two keys.
> For example, suppose I get an email from someone I've never heard of 
> and want to learn if there is any valid chain of signatures leading 
> from me to him.

If your using an old version of gnupg, you can use Darxus's sigtrace[1] and
mutt-sigtrace[2] to display pgp signature path traces inline with the pgp
signature verification of your MUA. (I use mutt)

I maintain some newer[3] versions of these same scripts, which works with
gnupg's --with-colons mode.  The end result isn't quite as pretty, but it
does work.

You can also use wotsap[4] data to determine a signature path.  I
discovered it after I'd customized sigtrace for my own use.

There are a variety of web-enabled tools to achieve the same results if
your only interested in casual tracing.  The most well known of these I
think is probably Jason Harris's keyserver which can be used by playing
with the following url:

Once I started tracing all the pgp keys that I came across, I noticed my
attitudes toward key trust changed.  For example, I used to think CA Robots
were a great idea.  Now i tend to not trust any key verified through a CA
robot.  You really start to appreciate the WoT for what it is when you see
it in action all day long.


Charles Mauch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050812/63de760c/attachment.pgp

More information about the Gnupg-users mailing list