Bug in "web of trust"?

Michael Roth mroth at nessie.de
Fri Oct 1 03:42:00 CEST 1999


On Fri, 1 Oct 1999, sashikala prasad wrote:

> 6.0. I believe I have found a bug in the way the "web of trust" works,

This isn't a bug, this is a feature (IMHO)!


> --list-sigs" by Harry now shows that Dick's public key is signed by Tom,
> and Tom's public key is signed by Harry himself. A "gpg --edit-key Tom"
> also shows that Tom is fully trusted ("f/f"). The web of trust (chain of
> trust?) should now be complete (?). Harry should trust messages signed
> by Dick, because Dick's public key is signed by Tom, and Tom's public
> key is signed by Harry himself. Besides, Harry trusts Tom to verify
> other public keys.

Yes. But you must define the ownertrust of Dick. Set the Ownertrust of
Dick to "I don't know" or "I don't trust" or to a higher value if you
trust him.
GnuPG accepts a key only as valid if a valid certification path exists
_and_ the ownertrust of the receiving key is _defined_. The value of the
ownertrust is unimportant to a key to be valid. But you _must_ _define_ 
the ownertrust. Newly imported keys don't have an ownertrust set at all.
The ownertrust of those keys is undefined.

This is a feature. Because you must set the ownertrust first to every new
key imported to paricipate in the trust path calculation, every key
you use has a _defined_ ownertrust value. You don't work with keys you
never checked further.


cu
		Michael




More information about the Gnupg-devel mailing list