How trust works in gpg...

[Sven Radde]

Mark H. Wood schrieb:
> The safest thing for gpg to assume
> is that I assign no trust at all until I have instructed it
> otherwise.
AFAIK this is the default behaviour, isn't it?
You have the option of specifying "trusted introducers" (i.e. keys 
signed by those are automatically considered valid by you), but you 
don't have to.

To me it looks like the two "trust" concepts of GnuPG are somewhat 
intermingled in this discussion:
- First, there's the "trust" in a UID which means that you trust the 
assiciation betweed the key and the person identified by the UID. This 
is usually expressed by signing the UID in question. Another term would 
be "validity" of the key, IIRC.
- Second, there's the "owner trust" assigned to a key, meaning that you 
trust that the key's owner, before signing other UIDs has made 
reasonable checks to the "trust" defined above. Default for this kind of 
trust is AFAIK "none", and you may manually set it to "marginal" or 
"full". You can then configure GnuPG to consider UIDs valid (i.e. you 
yourself "trust" them according to the first definition) when a certain 
number of "marginally" and/or "fully" trusted signatures already have 
been made on that UID.

HTH, Sven