Aspects of trust

[David Shaw]

On Jun 14, 2011, at 1:16 PM, Kerrick Staley wrote:

> This is to confirm my understanding of an important aspect of the way
> GnuPG works:
> 
> When you decide whether to trust a signature, there are two questions
> that must be asked:
> a) Does the key used to make this signature really belong to the
> person named in the certificates's UID?
> b) Given that the key is valid, is the person trustworthy?
> GnuPG and the web-of-trust concept only manage information related to
> the first question. GnuPG provides no means of encoding or storing the
> fact that a person is or is not trustworthy; it merely displays the
> UID when verifying a signature, and the user is left to decide whether
> the person should be trusted.

Sort of.

For signatures on keys (certifications), when building the web of trust, you get to specify a trust value (called "ownertrust") that is fed into the web of trust calculations.  This is not "do I trust this keyholder", but rather "do I trust this keyholder to make good signatures".  This influences which keys are marked as valid in the web of trust ("valid" meaning "we're pretty sure this key belongs to the person who it claims to belong to").

For example, a signature from someone who you trust to make good signatures can cause the key they sign to be valid, but you might want two signatures from two people who you only trust a little bit to make good signatures to make a key valid.

For signatures on data, this doesn't directly apply.  A signature from a valid key on data is valid.

So the web of trust seeks to give you a), and you have the ability to customize the web of trust based on your opinion of how well the keyholders make signatures on other keys.

David