tracing the Web of Trust?
cmauch at taclug.org
Fri Aug 12 09:54:03 CEST 2005
Quoting "Michael W. Lucas" <mwlucas at blackhelicopters.org>:
> I'm trying to learn if there's a tool to trace the web of trust
> between two keys.
> For example, suppose I get an email from someone I've never heard of
> and want to learn if there is any valid chain of signatures leading
> from me to him.
If your using an old version of gnupg, you can use Darxus's sigtrace and
mutt-sigtrace to display pgp signature path traces inline with the pgp
signature verification of your MUA. (I use mutt)
I maintain some newer versions of these same scripts, which works with
gnupg's --with-colons mode. The end result isn't quite as pretty, but it
You can also use wotsap data to determine a signature path. I
discovered it after I'd customized sigtrace for my own use.
There are a variety of web-enabled tools to achieve the same results if
your only interested in casual tracing. The most well known of these I
think is probably Jason Harris's keyserver which can be used by playing
with the following url:
Once I started tracing all the pgp keys that I came across, I noticed my
attitudes toward key trust changed. For example, I used to think CA Robots
were a great idea. Now i tend to not trust any key verified through a CA
robot. You really start to appreciate the WoT for what it is when you see
it in action all day long.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050812/63de760c/attachment.pgp
More information about the Gnupg-users